NIST Security Recommendations for Cloud

For the better part of two years now cloud computing has drawn significant spotlight for ease of use, lower cost, and overall reduction in resources required by the companies that utilize these services. However, a major concern from the beginning has been how security is applied within the cloud environment and ultimately the capability to meet compliance requirements.

Federal agencies in early 2014 were tasked with migrating applications to a cloud computing environment under the administration’s “Cloud First Initiative”, and the National Institute of Standards and Technology (NIST) is developing security standards and guidelines to enable the cloud transition. All agencies within the Department of Defense (DoD) and Federal Agencies are provided security directives and insight from NIST Security guidance as a common standard for implementing appropriate security and meeting compliance. Commercial entities may also want to reference these documents as prudent starting point to lead their security programs based on the excellent guidance provided in the NIST security special publications for cloud.

Complying with NIST regulatory and security requirements in a cloud world relies heavily on the deployment and service model being adopted, the architecture chosen to support the business, how the resources are deployed and how they are managed. In addition to traditional IT security considerations, organizations should also address cloud-specific characteristics, including:
Broad network access

  • Decreased visibility and control by consumers
  • Dynamic system boundaries and mingled responsibilities of consumer and provider
  • Multi-tenancy
  • Data residency
  • Measured service
  • Significant increase in scale, dynamics and complexity of the environment

It’s also worth noting the architecture is offered with three primary cloud service models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). In addition, consideration should be given to the roles of the various participants in the cloud environment: the consumer, provider, broker, carrier and auditor. The level of involvement for each in implementing security components should be considered for each environment.

NIST Security Cloud References

As a useful reference guide, organizations should consider the Cloud Computing Security Reference Architecture, NIST Special Publication 500-299, as it lays out a risk-based approach of establishing responsibilities for implementing necessary security controls throughout the cloud life cycle.

This security reference architecture draws on and supplements a number of other NIST publications to provide the security needed to speed adoption of cloud computing.
This document supplements NIST SP 500-292, Cloud Computing Reference Architecture. The security reference architecture provides “a comprehensive formal model to serve as security overlay to the architecture” in SP 500-292.

The draft publication describes a methodology for applying the Risk Management Framework described in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, adapted for the cloud. The formal model and security components in the draft are derived from the Cloud Security Alliance’s Trusted Cloud Initiative – Reference Architecture.  We would be happy to answer any questions you have related to how we support cloud initiatives.  Please contact us with any questions you may have or check out our service portfolio.