This article describes the challenges and solutions for Security Authorization in a cloud based services environment. We describe Compliance as a Service (CaaS) that supports various service models as well as the deployment models in cloud-based environment. This makes the solution elastic, metered and cost effective, all characteristics of a cloud based offering. The CaaS solution addresses the complex Security Certification and Authorization (C&A) needs of Cloud based Systems. The solution should addresses various regulations such as FISMA, HIPAA as well as incorporates Information Assurance (IA) frameworks like the NIST 800-53rev3, DIACAP DODI 8500.2, FedRAMP, CNSS 1253 as well as ISO 27001.
The CaaS solution can be used in private, public, hybrid or a community cloud deployment model. It fully implements the six-step Risk Management Framework (RMF) described in NIST Special Publication (SP) 800-37Rev.1. The CaaS solution can be embedded in the cloud by a Cloud Service Provider (CSP) or used by an Cloud Services Customer (CSC) for private cloud or hybrid cloud-based Systems, to certify and maintain the Security Authorization of the Information System.
Security Certification Scope of Cloud Computing Infrastructure in C&A
“Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. Cloud computing technologies can be implemented in a wide variety of architectures, under different service and deployment models, and can coexist with other technologies and software design approaches. The security challenges cloud computing presents, however, are formidable, especially for public or hybrid clouds whose infrastructure and computational resources are part or fully owned by an outside party that sells those services to the general public.”, NIST-Draft-SP800-144
Security Authorization Challenges in the Cloud
Cloud computing is not a single capability, but a collection of essential characteristics that are manifested through various types of technology deployment and service models. The NIST definition of cloud computing, with three service models; Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) and four deployment models are shown in figure below:
Figure 1: NIST definitions
The decision to embrace cloud-computing technology is primarily a risk-based decision, not a technology based decision for scalability and performance. Though, a CSC may transfer the risk of cloud computing to the CSP, CSC cannot transfer the accountability for maintaining the security of its System. The line of demarcation for the security responsibility is based on the services provided by the provider, e.g. a SaaS provider is responsible for the application and the entire underlying platform and the infrastructure. If the SaaS provider has obtained the underlying platform and the infrastructure as a service, the SaaS provider shall demand and inherit the security and performance SLAs from the PaaS and IaaS service providers.
FISMA mandated Security Certification and Authorization
The Federal Information Security Management Act (FISMA) of 2002 mandates each federal agency to implement a comprehensive information security program for its systems. The security programs mandated by FISMA are intended to identify and quantify threats to assets based on risk analysis as per the requirements of FIPS 199 and FIPS 200. The risk-based approach mandated by FIPS 199, categorizes each system using the key attributes of Confidentiality, Integrity and Availability. The security controls implemented on the assets are then evaluated using various the Information Assurance (IA) control frameworks such as NIST 800-53Rev.3 (mandated by FIPS 200), Federal Risk and Authorization Management Program (FedRAMP) or for DoD Systems DODI 8500.2 (DIACAP). The NIST Risk Management Framework as applied on an Information System is shown in Figure 2:
Figure 2: NIST SP800-37Rev.1 Risk Management Framework (RMF)
The biggest challenge for agencies using cloud-based solution today is to truly understand what it means to conduct C&A on a System where the System boundary and System assets are not static. In Figure 3, the Risk Management Framework (RMF) has been applied on the Information System with three assets. The Asset 1 and Asset 2 are well defined (static), while Asset 3 is a dynamic Cloud-based asset. This combination of assets creates a ‘hybrid’ Information System. As a Cloud based asset, the asset scope for Asset 3, is likely to change based on the performance or business continuity requirements of the client. e.g. scaling of number of Virtual Machines (VMs) or storage units. In such scenarios, how does one define the System boundary for Security Authorization and meet the requirements of Continuous Security Authorization per NIST RMF?
The line of demarcation of security responsibility based on the service model creates additional challenges for the certification process. Though, each CSP is likely to provide certification documentation for their own component, the customer of the Cloud Service has to maintain their own C&A documentation and needs to gather information from each of the underlying CSPs. The CSP provided information is then combined with the Information System specific controls into a comprehensive Certification Package, which is then submitted to the agency DAA for Authorization. All these challenges make the traditional approach to C&A non-workable in Cloud-based Systems.
In the world of tighter budgets, agencies need to automate the C&A process and deploy a solution that can address the needs of traditional systems as well as any form of cloud based systems. The automation solution needs to provide a high degree of scalability, elasticity and measurability based on a usage-based pricing model for cost effectiveness.