NIST Releases Cloud Computing “Security Reference Architecture” (SP 500-299) for Public Comment

The National Institute of Standards and Technology (“NIST”) loves its “Special Publications” the way IRS agents love new tax forms. NIST’s SP’s, however, are much more useful, and its latest Special Publication release in draft form for public comment, SP 500-299 “Cloud Computing Security Reference Architecture” introduces NIST’s Cloud Computing Security Reference Architecture (“SRA”) as the latest piece in NIST’s broader cloud computing review. The SRA provides a “comprehensive formal model to serve as security overlay” to NIST’s earlier cloud “reference” architecture, detailed in yet another NIST SP, namely, 500-292: Cloud Computing Reference Architecture. NIST is seeking public comments on the draft SRA, due July 12, 2013 per instructions at NIST’s Cloud Security Twiki page.

Concerns regarding “GRC” matters - governance, risk management and compliance issues - have dogged the cloud landscape since the phrase first hit the common lexicon. As one response, NIST is tasked, pursuant to FISMA, with producing and promulgating federal guidance and standards regarding cloud definitions, security and reference architectures to be adopted by Federal agencies. For the past several years NIST cloud-related working groups, in cooperation with various public and private stakeholders, have done yeoman’s work in developing a reference library of special publications addressing cloud operations, management and security as guidance for federal agencies. (Full disclosure: I’ve taken part in various NIST cloud-related work groups.)

Ok, sounds great. But why care? Simple. This work matters in the end, at least with regards to cloud providers and others both within and without federal agencies, because as of June 6, 2014, federal agencies must utilize only cloud providers assessed and authorized through the Federal Risk and Authorization Management Program (FedRAMP) who have received a FedRAMP Provisional ATO issued by the Joint Authorization Board.

I know what you’re thinking. “What does all this fedspeak mumbo-jumbo mean to me, my company and my cloud services and contracts?” It means that when the rubber hits the road NIST is setting the parameters for federal procurement of cloud services, which in turn means that cloud providers and brokers will be, in all likelihood, hewing to NIST cloud guidance in whole or in part, which then, one level down, means those of us in the private sector will be toggling off the guidance to specify “best practices” and requirements in our respective cloud services contracts, SLA’s and provisions. So, as a matter of self-interest, keeping tabs on what the feds and NIST are saying and doing in the cloud computing space is a wise use of time long-term.

Reference Architectures Everywhere

NIST’s SP's as of late have been 200+ page mammoth tomes, and SP 500-299 keeps pace with this trend, weighing in at 204 pages, though the meat of the SRA truly begins on page 51 and in the various important “Annex” attachments.  What’s the difference in focus and intent between SP 500-299’s SRA and 292’s Reference Architecture? The S in SRA says it all: Security.  SP 500-299 specifies detailed methodologies for applying a Cloud-adapted Risk Management Framework (aka “CRMF” in NIST-speak) using a “formal model” and an associated set of security controls and components derived from capabilities identified in the Cloud Security Alliance’s own Trusted Cloud Initiative – Reference Architecture (“TCI-RA”).

The differences in cloud methods, services and responsibilities for securing different permutations of cloud service and deployment models present what NIST charitably calls “a significant challenge for consumers who need to perform a thorough risk assessment and accurately identify the security controls necessary to preserve the security level of their environment, operations, and data after migrating to the cloud.” I’ll say.  In fact, read that quote again s-l-o-w-l-y.

In connection with NIST’s SP 800-53 (Rev. 4): Security and Privacy Controls for Federal Information Systems and Organizations, the SRA lays out a thorough risk-based approach to determine each cloud party’s responsibility for implementing specific controls throughout the life cycle of a cloud ecosystem. Again, extremely useful stuff, and if there’s any downside to NIST’s Herculean efforts it's that all its various cloud SP’s are effectively meant to be “read together” in an interlocking and cross-referential way, which is no easy feat when you're faced with a pile of 200+ page guidance docs to digest and apply as a holistic whole.

As always, I recommend a careful, close read of the SRA, but in high-level summary the SRA framework:

• identifies a core set of Security Components that can be implemented in a Cloud Ecosystem to secure the environment, the operations, and the data migrated to the cloud;
• provides, for each Cloud Actor, the core set of Security Components that fall under their responsibilities depending on the deployment and service models;
• defines a security-centric formal architectural model that adds a security layer to the current NIST SP 500-292: NIST Cloud Computing Reference Architecture; and
• provides several approaches for analyzing the collected and aggregated data.

My summary literally barely skims the service of the SRA and a full analysis would likely weigh in at a good third of the SRA’s own length, but if you have neither the time, nor inclination to weigh through the SRA at the very least print out the Risk Management Framework - Security Life Cycle diagram from page 23 of the SRA and pin it to your bulletin board for quick reference when reviewing a cloud computing services contract, associated security controls and in speak with IT departments to ensure they've conducted a full vetting of any provider.

Until the next NIST SP....