NIST Cloud Computing Security Reference Architecture
NIST Cloud Computing Security Reference Architecture
NIST Special Publication 500-299
Authors
Waverley Labs’ Juanita Koilpillai is a contributing member of the NIST Cloud Computing Security Working Group (NCC SWG).
Abstract
The National Institute of Standards and Technology (NIST), along with other agencies, was tasked by the U.S. Chief Information Officer with specific activities aimed at accelerating the adoption of cloud computing. These include the delivery of a US Government Cloud Computing Technology Roadmap and the creation of other NIST Special Publications (NIST SPs) that address the definitions, security aspects, and reference architecture of Cloud Computing.
This document was developed as part of a collective effort by the NIST Cloud Computing Public Security Working Group in response to the priority action plans for the early USG cloud computing adoption identified in NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume 1, High-Priority Requirements to Further USG Agency Cloud Computing Adoption. NIST SP 500-293 highlights concerns around the protection and control of cloud Consumer data.
This document introduces the NIST Cloud Computing Security Reference Architecture (NCC-SRA or, for the sake of brevity, SRA), providing a comprehensive formal model to serve as security overlay to the architecture described in NIST SP 500-292: NIST Cloud Computing Reference Architecture.
This document also describes a methodology for applying a Cloud-adapted Risk Management Framework (CRMF) using the formal model and an associated set of Security Components (derived from the capabilities identified in the Cloud Security Alliance’s Trusted Cloud Initiative – Reference Architecture [TCI-RA]) to orchestrate a secure cloud Ecosystem by applying the Risk Management Framework described in NIST SP 800-37 (Rev. 1): Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
The study upon which the NCC-SRA is based collected, aggregated, and validated data for a Public cloud, considering all three cloud service models – Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) – and all cloud Actors (i.e., Consumer, Provider, Broker, Carrier, and Auditor). While this document focuses on a Public cloud deployment model because it best supports illustrative examples of all of the NCC-SRA Security Components and security considerations, the NCC-SRA (the formal model, the set of Security Components and the methodology for applying the CRMF) is agnostic with respect to cloud deployment model, and its methodology can easily be applied to Private, Community, or Hybrid clouds.
The NCC-SRA introduces a risk-based approach to determine each cloud Actor’s responsibility for implementing specific controls throughout the life cycle of the cloud Ecosystem. Specifically, for each instance of the cloud Ecosystem, the security components are analyzed to identify the level of involvement of each cloud Actor in implementing those components. The ultimate objective of this document is to demystify the process of describing, identifying, categorizing, analyzing, and selecting cloud-based services for the cloud Consumer seeking to determine which cloud service offering most effectively addresses their cloud computing requirement(s) and supports their business and mission-critical processes and services in the most secure and efficient manner.
