Security

Cloud Computing: NIST, CSA, ITIL, ISO

Per the NIST, cloud computing is defined as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST, 2011). In cloud computing, securing such a vast amount of data and protecting each of the systems that the cloud service communicates with can be quite the challenge. Thankfully, the NIST CSA, ITIL, and ISO organizations all assist in increasing security in cloud applications, services, and products.

The National Institute of Standards and Technology (NIST), in 2012, created its first set of guidelines for managing cloud computing’s security and privacy issues. Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144) shares a unique perspective of the various challenges that face cloud computing, including insight on risks, threats, and their proposed solutions. The most interesting aspect of the article is the NIST’s statement regarding differences with how cloud computing is defined; without an accurate description of what the service does, how can one possibly begin to defend it? 800-144 provides a complete summary of the differences between cloud computing’s models (deployment and service), outsourcing and accountability issues, as wells threats in the following categories- governance, compliance, trust, architecture, identity and access management, software isolation, data protection, availability, and incident response. NIST’s article also provides guidelines for securing cloud services, including proper research and planning of solutions, meeting organizational, local, and government security and privacy requirements, and always maintaining accountability of all data and applications.

In NIST’s SP 800-146 Cloud Computing Synopsis and Recommendations, benefits, guidelines, and recommendations for cloud computing are provided, as well as securing its many deployment models. Regarding security, the NIST recommends minimizing the potential for browsers and client devices by utilizing security best practices such as password complexity and renewals, updating, and strict policies for hardware and software usage and management. Encryption should be utilized for web sessions and network communications; they recommend encryption that is FIP 140-2 compliant. Furthermore, NIST’s SP 800-146 suggests enhanced physical security, authentication, and identity and access management procedures and policies.

When comparing NIST’s cloud security management publications to those of the CSA, ITIL, and ISO, each are relatively similar yet have unique recommendations regarding the specific environment in which the cloud services are hosted. While the above-mentioned cloud security management publications are indeed different, they each have content that compliments one another. In fact, regarding available IT controls, frameworks, and how they influence cloud governance models, most, if not all, of NIST, CSA, ITIL, and ISO’s material do not cover everything entirely; due to this, organizations tend to utilize multiple cloud security management systems. CSA utilizes a security standard that covers thirteen domains; this provides organizations with the fundamental security principles which assist cloud vendors and their customers with assessing security risk. ITIL, on the other hand, comes in the form of a best practice approach, offering thirty-four practices on how to improve internal IT services concerning the Cloud. Finally, similar to ITIL’s methodology, the ISO uses security standards (standard and best practices), which cover fourteen domains (ISO 27001); this is used to promote IT governance with cloud computing through checklists and guides.

Today’s organizations require sophisticated and custom cloud security management frameworks for the specific situation. The one-size-fits-all approach simply isn’t always practical. Due to the vast differences of each businesses’ needs, expectations, risks, and possible benefits to be had by cloud adoption, utilizing all or parts of NIST, CSA, ITIL, and ISO’s cloud security management protocols will be superior when compared to merely using one. Similar to how cloud deployment models work, often, both private and public cloud usage is ideal, whereas only one may limit the functionality of the cloud’s services. Cloud technology is currently revolutionizing various areas of business operations, leading those who build, maintain, and secure them frantically trying to stay current with leading tactics and best practices. As the term best practice is becoming more dated every year, many across the globe are redefining what ‘best practices’ truly means. Instead of using a ‘cookie-cutter’ approach to cloud security, organizations need to revamp the recipe, adding in herbs and spices until the right taste, or in this case, security, is achieved.

To help identify each of NIST, CSA, ITIL, and ISO’s cloud security management protocols, what they cover, how they help, and how they are implemented, I have included a quick overview of each in the diagram below.

FrameworkTypeCoverageGoalImplementation
NISTGuidelines and recommendations, security standardsComplete coverage using various sub-frameworksProvides organization with security and privacy challenges and solutionsBroad view of the entire system
CSAGuidelines and recommendations, security standards13 DomainsProvides organizations with the fundamental security principles which assist cloud vendors and their customers with assessing security riskBroad view of the entire system
ITILBest Practice (IT service-based)34 ProcessesImprove internal IT services in relation to the CloudEasy to implement using guidelines and checklists
ISOSecurity standard (combination of standard and best practice) using a risk-based approachISO 27001: 14 domainsComplete IT governance with cloud computingComplete overview of all IT-related services which spreads to cloud computing

References

Mell, P. & Grance, T. (2011, September 28). The NIST Definition of Cloud Computing. Retrieved October 19, 2020, from https://csrc.nist.gov/publications/detail/sp/800-145/final

Grance, T. & Jansen, W. (2018, November 10). Guidelines on Security and Privacy in Public Cloud Computing. Retrieved October 19, 2020, from https://www.nist.gov/publications/guidelines-security-and-privacy-public-cloud-computing

CSA. (2011). SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN CLOUD COMPUTING V3.0. Retrieved October 19, 2020, from https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf

Gehrmann, Maico. (2012, August 17). Combining ITIL, COBIT, and ISO/IEC 27002 for Structuring comprehensive information technology for management in organizations. Retrieved October 19, 2020, from https://pdfs.semanticscholar.org/2d25/2587574241b29cea014f6129720450433afc.pdf

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s