cloud computing technologies · 3/24/2014 · 100 bureau drive mailstop 8930. gaithersburg, md usa...
TRANSCRIPT
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Dr. Ron RossComputer Security Division
Information Technology Laboratory
Cloud Computing TechnologiesAchieving Greater Trustworthiness and Resilience
Cloud Standards Customer CouncilPublic Sector Cloud Summit
March 24, 2014
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
We are living in the golden age of information technology.
Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals.
How do we provide for the common defense in the digital age?
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Advanced Persistent Threat
An adversary that — Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using
multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted
organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or
organization; and To position itself to carry out these objectives in the future.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Classes of VulnerabilitiesA 2013 Defense Science Board Report described— Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT).
Two-thirds of these vulnerabilityclasses are “off the radar” of
most organizations…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
We want to strengthen the underlying information technology infrastructure to achieve stronger,
more resilient information systems—
Reducing the likelihood that cyber attacks will be successful and helping to ensure we can continue to carry out critical federal missions and business operations.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Complexity.Ground zero for our current problems…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
If we can’t understand it –we can’t protect it…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Cloud Computing – Managing Complexity
Consolidate. Optimize. Standardize.
And the integration of information security requirements…
Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
With cloud computing, you don’t have to own everything…
It is now possible to reduce the size of our digital footprint…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Cloud computing.Lower cost, more efficient services, better security…
On demand – scalable – dynamic.
Churning the IT infrastructure…
can eliminate malware.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
What Cloud Gives Us Less complicated IT infrastructure. Less expensive IT infrastructure. More efficient services for consumers. More resilient IT infrastructure. More effective risk-based, information security.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
One possible cloud approach. Categorize information and systems, separating critical and sensitive
data into domains. Choose best
cloud model.Private Cloud High impact data
Moderate impact data
Low impact dataPublic Cloud
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Resilience.The only way to go for critical missions
and information systems…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Dual Protection StrategiesSometimes your information systems will be compromised even when you do everything right…
Boundary ProtectionPrimary Consideration: Penetration resistance.Adversary Location: Outside defensive perimeter.Objective: Repel the attack.
Agile DefensePrimary Consideration: Information system resilience.Adversary Location: Inside defensive perimeter.Objective: Operate while under attack, limit damage, survive.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Cloud Can Provide Agile Defense Boundary protection is a necessary but not sufficient
condition for Agile Defense. Examples of Agile Defense measures— Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state.
Bottom Line: Limit damage of hostile attack while operating in a (potentially)degraded or debilitated state…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Cloud Provides Defense-in-Depth
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection
Access control mechanisms Identification & authentication mechanisms
(Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices
(Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security and Privacy Chain: Security and Privacy Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Cloud technologies can bring best practices to systems design and
development.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
The Federal Cyber Security Strategy…
Build It Right, Continuously Monitor
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
The Cyber Security Toolset NIST Special Publication 800-39
Managing Information Security Risk:Organization, Mission, and Information System View
NIST Special Publication 800-30Guide for Conducting Risk Assessments
NIST Special Publication 800-37Applying the Risk Management Frameworkto Federal Information Systems
NIST Special Publication 800-53Security and Privacy Controls for FederalInformation Systems and Organizations
NIST Special Publication 800-53AGuide for Assessing the Security Controlsin Federal Information Systems and Organizations
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
For bridge builders, it's all about physics—Equilibrium, static and dynamic loads, vibrations, and resonance.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
For information system developers, it's all about mathematics, computer science, architecture, and systems engineering—Trustworthiness, assurance, penetration resistance and resilience.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
The national imperative for building stronger, more resilient information systems…
Software assurance.Systems and security engineering.
Supply chain risk management.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Security should be a by-product of good design and development practices—cloud technologies can help.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
Getting the attention of the C-Suite.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Threat Assets Complexity Integration Trustworthiness
TACIT Security
MERRIAM-WEBSTER DICTIONARYtac.it adjective
: expressed or understoodwithout being directly stated
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Threat Develop a better understanding of the modern
threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain open source and/or classified threat briefing. Include external and insider threat assessments.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Assets Conduct a comprehensive criticality analysis of
organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact
analysis (triage).
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Complexity Reduce the complexity of the information technology
infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and
standardize the IT infrastructure. Employ cloud computing architectures to reduce the
number of IT assets that need to be managed.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Integration Integrate information security requirements and the
security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture,
systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business
owners; become key stakeholders.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Trustworthiness Invest in more trustworthy and resilient information
systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
Understand the cyber threat space. Conduct a thorough criticality analysis
of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into
organizational processes. Invest in trustworthiness and resilience
of IT components and systems.
Summary – TACIT Security
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
Cybersecurity is the great challengeof the 21st century.
Cybersecurity problems are hard—not easy.
Cloud technologies can help…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33
Be proactive, not reactive when it comes to protecting your organizational assets.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34
The clock is ticking—the time to act is now.
Failure is not an option…when freedom and economic prosperity are at stake.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]
Senior Information Security Researchers and Technical SupportPat Toth Kelley Dempsey (301) 975-5140 (301) [email protected] [email protected]
Arnold Johnson Web: csrc.nist.gov/sec-cert(301) 975-3247 [email protected] Comments: [email protected]