NIST outlines cloud security management overlay


Agencies seeking to move services to the cloud retain responsibility for ensuring the security of those services, the National Institute of Standards and Technology says in a draft special publication that proposes a security reference architecture for cloud computing.

The draft architecture (.pdf), released June 11, builds on the NIST cloud reference architecture (.pdf) as an overlay of security components--but not controls from the catalog of security controls that agencies follow from NIST's most widely known special publication, 800-53 (of which NIST released the fourth version earlier this year).

Many of the components in the draft architecture come from the Cloud Security Alliance's Trust Cloud Initiative-Reference Architecture; they address high- and mid-level security needs. For example, a high-level component might be "security monitoring services," broken down into more specific mid-level components such as "database monitoring" and "end-point monitoring."

NIST's intent is to ultimately map the components to specific controls in SP 800-53, said Michaela Iorga, NIST senior security technical lead for cloud computing in a Friday interview.

The working group behind the draft decided the mapping should be a different publication, due to the complexity of the mapping and the fact of the revision process of 800-53, Iorga added.

The FedRAMP cloud overlay of security controls for private sector providers of low- and medium-risk services addresses only a portion of the risk resulting from incorporation of cloud-based services, the draft authors note.

A would-be agency migrant to the cloud remains responsible "for performing a risk-assessment analysis, identifying all the security requirements for their cloud based service(s), and selecting the appropriate security controls before it consults FedRAMP's security repository of authorized cloud suppliers," the draft architecture states.

Per the final cloud computing reference architecture, the draft security architecture reiterates that there exist five actors in the cloud environment: consumers, providers, brokers, carriers and auditors.

Agencies--consumers--must think systematically about security concerns before selecting a cloud solution, Iorga added. "It's something we advise as a lifestyle...As a healthy security lifestyle, you shouldn't bend your requirements, because you remain responsible," she said.

The deadline for comments is July 12.

For more:
- go to a NIST statement on the release of the draft cloud security architecture
- download the draft architecture (.pdf)

Related Articles:
Interoperability, portability standards to advance cloud adoption, raise questions, says Messina
FedRAMP for cloud brokers would be valuable, say panelists
Cloud first is about delivering value, not counting services, says OMB official