Use IT network and security professionals to define the cloud

Source: Internet
Author: User
Tags nist 800 csa

This article focuses on the definition of the cloud tailored from the unique perspective of IT networks and security professionals. A group of common and concise words for unified classification can be used to describe the impact of cloud architecture on security architecture. In this unified classification method, cloud services and architecture can be reconstructed, it can also be mapped to a compensation model with many elements such as security, operational control, risk assessment, and management framework to meet compliance standards. Through cloud product classification, cloud services and cloud architecture can be reconstructed and mapped to a security and operation control model, risk assessment framework, management framework, and corresponding compliance standards.

What is cloud computing?

Cloud computing (or cloud) is an evolutionary term that describes the development of many existing computing technologies and methods in different directions. The cloud separates applications and information resources from the underlying infrastructure and mechanisms used to deliver them. The cloud enhances collaboration, agility, scalability, availability, and the potential to reduce costs through optimized and more efficient computing.

More specifically, the cloud describes the use of services, applications, information, and infrastructure consisting of computing, networks, information, and storage based on "resource pools. These components can be quickly planned, configured, deployed, and retired, and can be quickly expanded or reduced to provide similar distribution and consumption modes of on-demand and utility computing.

This article focuses on the definition of cloud tailored from the unique perspective of IT networks and security professionals. A set of common and concise words for unified classification can be used to describe the impact of cloud architecture on security architecture. In this unified classification method, cloud services and architecture can be reconstructed, it can also be mapped to a compensation model with many elements, such as security, operational control, risk assessment, and management framework, to comply with compliance standards.

2. What makes cloud computing?

The National Institute of Standards and Technology (NIST) defines five key features, three service models, and four deployment models for cloud computing. As shown in 1, detailed descriptions will be provided later.

2.1 key features of cloud computing

The five key features presented by cloud services represent their relationships and differences with traditional computing methods:

• On-demand self-service: users can automatically configure computing capabilities as needed, such as server time and network storage, without having to interact with service personnel of service providers.

• Broadband access: the service capability is provided through the network and supports various standard access methods, including various thin or fat client platforms (such as mobile phones, laptops, and PDAs ), it also includes other traditional or cloud-based services.

• Virtualized resource "pool": the provider's computing resources are collected to the resource pool. The multi-tenant model is used to meet user needs, dynamically allocate or distribute different physical and virtual resources to multiple consumers. Although location independence exists to some extent, that is to say, users cannot control or even know the exact physical location of the resources they are using, however, in principle, you can specify a location (such as a country, state, province, or data center) at a high abstraction level ). Resource examples include storage, processing, memory, network bandwidth, and virtual machines. Even Private clouds tend to virtualize resources to provide services for different departments of the Organization.

• Fast and elastic architecture: service capabilities can be quickly and elastically supplied-automatically in some cases-to achieve rapid resizing and fast release. For users, the available service capabilities are almost unlimited and can be purchased as needed at any time.

• Measurable service: the cloud system can automatically control and optimize the resource usage of a service, this is because it uses a certain degree of abstract measurement capabilities (such as storage, processing, bandwidth, or active user accounts ). People can monitor, control resource usage, and generate reports. Reports can be transparent to both providers and users.

It must be recognized that, although cloud services are often used together with virtualization technology or cloud services are based on virtualization technology, they are not necessarily necessary. There is no need to bind resource abstraction and Virtualization Technologies together. Many cloud service products do not use hypervisor or operating system containers. Furthermore, it should be noted that multi-tenant has not become a key feature in the NIST cloud computing definition, but is often referred to as a key feature during the discussion. You can find more details in the "Multi-tenant" section after the cloud deployment model.

2.2 cloud service model

The delivery of cloud services can be divided into three modes and different derivative combinations. These three basic types are often referred to as "SPI" models, in which SPI represents software, platform, and infrastructure (as a service ). They are defined as follows:

• Cloud software as a service (SAAS): The capability provided to users is to use applications run by service providers on the cloud infrastructure. You can use various client devices to access applications (such as browser-based Emails) through a thin customer interface (such as a browser ). Users do not manage or control underlying cloud infrastructure, such as networks, servers, operating systems, storage, or even individual application capabilities, unless they are special application configurations of some limited users.

• Cloud platform as a service (PAAs): The capability provided to users is to deploy applications created or purchased by users on the cloud infrastructure. These applications are supported by service providers.Programming LanguageOr tool development. users do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage, but can control deployed applications, and an environment configuration of the application host.

• Cloud infrastructure as a service (IAAS): The capability provided to users is that the cloud provides processing, storage, networks, and other basic computing resources, allows users to deploy or run any software of their own, including operating systems or applications. Users do not manage or control the underlying cloud infrastructure, but have control over the operating system, storage and deployment applications, and limited control over some network components (such as host firewalls ).

The NIST model and this document do not directly describe the service model definition of the proxy. The cloud service proxy provides arbitration, monitoring, change/porting, governance, supply, and integration services, negotiation between users and cloud service providers is also provided.

In short, because innovation will drive rapid solution development, cloud service users and suppliers will like various methods of interacting with cloud services, such as developing API interfaces, therefore, cloud service proxy will become an important part of the overall cloud ecosystem.

Before the launch of general, open, and standardized long-term solutions, cloud service agents abstract various incompatible capabilities and interfaces to provide users with proxy access methods. A long-term solution is a semantic capability that allows users to smoothly and flexibly make full use of models that best meet their specific needs.

It is very important that we must see various efforts around the development of public and private APIs, which are used for cloud management, security, and interoperability. A few simple APIs are provided, such as the open cloud computing Interface Working Group, Amazon EC2 API, and vcloud API submitted by VMware DMTF, sun's open cloud API, rackspace API, and gogrid's API. Open, standard APIs, and common container formats, such as the open virtualization format ovf (Open virtualization format) of DMTF, play a crucial role in cloud portability and interoperability.

Although there are many working groups, drafts, and released specification standards, there will certainly be an integration process, various market forces, user needs, and economic environments play with each other and refine the database. Finally, they reach a state that makes it easier for users to manage and interoperate.

2.3 cloud deployment model

No matter which service model (SAAS, paas, or IAAS) is used, there are four cloud service deployment models, and the evolution and deformation on them to solve certain special needs.

• Public cloud. It is owned by an organization and its cloud infrastructure provides cloud services to the public or a large industry group.

• Private cloud. The cloud infrastructure is designed to run services for an organization. It can be managed by the organization or a third party, on-premises services, or off-premises services ).

•CommunityCloud. Cloud infrastructure is shared by several organizations to support a specific community. A Community refers to a group with a shared appeal and pursuit (for example, mission, security requirements, policy or compliance considerations ). It can be managed by the organization or a third party, on-premises services, or off-premises services ).

• Hybrid cloud. Cloud infrastructure is composed of two or more clouds (private, community, or public) that exist independently, but are bound together by standard or private technologies, these technologies facilitate the portability of data and applications (for example, Cloud bursting Technology for load balancing between clouds ).

When the consumption demand of products in the market is becoming more and more mature, other derived cloud deployment models will emerge. It is very important to realize this. An example of this is Virtual Private clouds-using public cloud infrastructure in private or semi-private form, resources in the public cloud are usually connected back to resources in the user data center through the Virtual Private Network VPN.

The Architecture concept during solution design has a great impact on the flexibility, security, mobility, and collaboration capabilities of future solutions. As a primary principle, the solution of "perimeterized" is not more effective than "deperimeterized", which is used in the preceding four deployment models. In the same way, you need to carefully consider private or open solutions.

Multi-Tenancy)

Although it is not an essential feature of cloud computing in the NIST model, CSA recognizes multiple tenants as an important element of the cloud. The "Multi-tenant" in the cloud service model means meeting the different needs of different customer scenarios for policy-driven security enhancement, segmentation, isolation, supervision, service level, and corresponding billing/refund models.. Users may use service products of public cloud service providers or cloud services within the same organization, such as business units, which are not completely different business organizations, infrastructure still needs to be shared between them.

From the provider's perspective, the multi-tenant requirement for architecture and design is to share infrastructure, data, metadata, services and applications among many different customers, to achieve scalability, availability, management, segmentation, isolation, and operational efficiency ".

Depending on the cloud service model of the region service provider, "Multi-tenant" can also be defined, because it may be related to implementation details at different levels of infrastructure, data, or applications. The difference between IAAs and SaaS multi-tenant implementation is an example. "Multi-tenant" has different importance in different cloud deployment models. However, even in the private cloud, although there is only one organization, there are also multiple consultants and contractors from third parties, and there are expectations for high-level logical separation between different business units. Therefore, you also need to consider "Multi-tenant"

2.4 cloud Reference Model

Understanding the relationships and dependencies between cloud computing models is critical to understanding the security risks of cloud computing. IAAs is the basis of all cloud services. Paas is built on IAAs and SAAS is built on Paas. For the relationships between them, see the cloud reference model diagram. Along this line of thinking, as cloud service capabilities are inherited, information security risks and problems are also inherited. One important point is that commercial cloud providers may not exactly match this model. However, cloud reference models are used to associate real services with a specific architecture framework, it is important to understand the resources and services that require security analysis.

IAAs covers all infrastructure resources, from equipment rooms to hardware platforms. It includes the ability to abstract (or reverse) resources and deliver physical or logical network connections to these resources. The ultimate state is that The IAAs provider provides a set of APIs, allows users to manage and interact with infrastructure in other forms.

Paas is located on top of IAAs and adds a layer for integration with application development frameworks, middleware capabilities, and functions such as databases, messages, and queues. PAAs allows developers to develop applications on the platform. The developed programming languages and tools are supported by PAAS.

Similarly, SAAS is located on the underlying IAAs and Paas. SAAS provides an independent operating environment for delivering a complete user experience, including content, presentation, application, and management capabilities. Therefore, it must be clear that in the three models, there will be some obvious compromise on the features, complexity, openness (enhanced), and security of integration. The compromise between the three cloud deployment models includes:

• In general, SAAS will provide the most integrated functions and the least extensibility of users in the product, which is relatively high integrated security (at least the provider assumes the responsibility for security ).

• PAAs provides developers with the ability to develop their own applications on the platform. Therefore, it tends to provide more scalability than SaaS, at the cost of SAAS's unique features that are available to users. This compromise will also extend to security colors and capabilities. Although the built-in security capabilities are not complete, users have more flexibility to achieve additional security.

• IAAs provides almost no special features similar to the application, but has great scalability ". This generally means that IAAs has fewer security protection capabilities and functions besides protecting the infrastructure itself. The IAAs model requires cloud users to manage and secure operating systems, applications, and content.

A key feature of the cloud security architecture is that the lower the level of the cloud service provider, the more security capabilities and management responsibilities cloud service users have to undertake. In the case of SAAS, this means that the service itself and the provider's service level, security, control, compliance and expectations of responsibility need to be clearly defined in the contract. In the case of paas or IAAs, the management responsibility of these content is the user's own system administrator. The provider provides security protection for the underlying platform and infrastructure components to ensure the availability and security of basic services, the specific requirements may involve some discrepancies. It is clear that the user can specify/transfer the responsibility (Responsibility), but it is not necessary to specify/transfer the accountability ).

If you narrow down the scope or specific capabilities/functions of each cloud delivery model or their cross-coupling functions, many derivative classifications will be generated. For example, storage as a service is a specific sub-service in The IAAs family.

Cloud computing solutions are constantly evolving. Although the panorama we discuss is beyond the scope of this document, the following opencrowd cloud solutions classification chart provides a very good starting point, it shows various cloud solutions derived from the above deployment models.

It should be noted that CSA does not particularly support any listed solutions, but is only used to illustrate the diversity of cloud solutions provided on the current market.

To provide a comprehensive view of cloud computing use cases, cloud computing use case group develops a collaborative task to describe and define general cases and demonstrate the benefits of the cloud. Their goal is: "... let Cloud users and providers define public cloud computing use cases... Emphasize the need for standardized capabilities and requirements in the cloud computing environment to ensure interoperability, easier integration, and portability ."

2.5 cloud Security Reference Model

The cloud security reference model solves these classification relationships and puts them and their related security control and concerns in a context. For organizations and individuals who first came into contact with cloud computing, it is important to note the following issues to avoid potential traps and confusions:

1. Confusion Arising from frequent mixing of the concepts "How cloud services are deployed" and "where cloud services are provided. For example, public or private clouds may be described as external or internal clouds, and such swaps are not always accurate.

2. The usage of cloud services is often described as related to the management or security boundary location of an organization (usually defined on a firewall ). Although it is important to know where security boundaries are in cloud computing, the concept of "clear boundaries" is a mistake of the times.

3. Re-perimeterization and erosion of trust boundaries are being staged in the enterprise, which is magnified and accelerated by cloud computing. Ubiquitous connections, various forms of information exchange, and traditional static security control that cannot solve the dynamic characteristics of cloud services all require new thinking about cloud computing. For the reorganization of the enterprise network boundaries,

Jericho Forum has developed a lot of materials, including many case studies. The deployment and consumption modes of the cloud cannot be discussed only in "internal" or "external", because they are only related to the physical location of assets, resources, and information, we also need to discuss who consumes, who is responsible for supervision, and compliance with security and policy standards.

It is not suggested that an asset, resource, or information should be on-site or off-site without affecting the security and risk status of the organization, they do have an impact. However, here we would like to emphasize that risks are also related to these:

• Types of assets, resources, and information to be managed

• Who manages it? How to manage it?

• What controls are selected? How to integrate?

• Compliance issues

For example, the lamp packages deployed in Amazon AWS EC2 should be classified as public, off-site, and third-party managed IAAs solutions, even if the instance, application, and data are managed by the consumer or a third party. A common application deployed in Eucalyptus serves several business units and is controlled, managed, and owned by a company. It can be classified as a private, on-site, and self-managed SaaS solution. Both examples use the elastic architecture and self-service capabilities of the cloud.

The following table summarizes these key points:

Another way to graphically display cloud service models, deployment models, physical resource locations, management, and owner attributes is the cloud of Jericho Forum (www.jerichoforum.org ).CubeThe cloud cube model is shown in:

The cloud cube model vividly describes the arrangement and combination of existing cloud products on the market, and proposes a format for distinguishing cloud products (formation) transform to the four standards/Dimensions of another form, as well as various supply configuration methods to understand how cloud computing affects security routes.

The cloud cube model also highlights the challenges of understanding cloud models and ing them to control frameworks and standards, such as ISO/iec27002, A series of guidelines and general principles are provided to start, deploy, maintain, and improve information security management within the Organization ".

In section 27002 of ISO/IEC 6.2, the "external" (external parties) control targets include: "… The security of the Organization's information and information processing facilities should not be reduced by introducing external products or services ..."

As a result, the security protection methods and responsibilities of the three cloud service models are different, which means that the cloud service consumers are facing very challenging tasks. Unless the cloud provider is willing to disclose its security control and the degree to which it is deployed for the consumer, and the consumer is also aware of the control they need to maintain information security, there will certainly be a lot of misleading decisions and heavy losses.

This is critical. The first is to classify cloud services based on the cloud architecture model. The next step is to map its security architecture, as well as business, regulatory and other compliance requirements. It is a gap analysis exercise. The output results determine the general "security" Status of a cloud service and how it is associated with the protection requirements of an asset.

A good example is provided to illustrate how to map cloud service components and security control policy sets to determine which security control exists or is missing, provided by cloud service providers or third parties. This can also be compared with the compliance framework or mandatory requirements (such as pci dss), as shown in.

After the gap analysis is completed, it is much easier to determine what needs to be done according to regulatory and compliance requirements to fill in the risk assessment framework. Correspondingly, this can also help determine how to deal with these security "gaps" or ultimately risk-acceptance, transfer, or reduction.

It is important to be aware that using cloud computing as a running model does not naturally provide or impede compliance. Compliance with any requirements is the direct result of services, deployment models used, and the design, deployment, and management of resources within the scope. The following is a comprehensive summary of the control framework. They provide a wonderful description of the general control framework mentioned above, including the open security architecture group) and the recently updated NIST 800-53 Revision 3-recommended security controls for federal information systems and organizations.

3. What is cloud computing security?

Security Control in cloud computing is not different from security control in other IT environments. However, based on the cloud service model, operating mode, and cloud service technology, compared with traditional IT solutions, cloud computing may face different risks.

Even if some operational responsibilities fall on one or some third-party partners, a unique feature of cloud computing is the ability to maintain accountability while being moderately out of control ).

The characteristics of an organization's security situation depend on its maturity, effectiveness, and completeness of risk-based security control. These security controls can be implemented at one or more layers, including devices (physical security), network infrastructure (Network Security), IT systems (system security), and information and applications (application security ), more control includes personnel and process, separation of duties, and change management.

As mentioned above, the security responsibilities of providers and users vary greatly in different cloud service models. For example, Amazon's AWS EC2 architecture, as a service, includes the security responsibilities of the vendors that have passed to hypervisor security. That is to say, they can only address the security controls of physical security, environmental security, and virtualization security, users are responsible for security control related to IT systems (events), including operating systems, applications, and data.

Salesforce.com's Customer Resource Management crm saas provides the opposite, because the entire "stack" is provided by salesforce.com, providers are not only responsible for physical and environmental security, but also must address security control related to infrastructure, applications and data, which reduces many operational responsibilities of users.

One of the attractiveness of cloud computing lies in the cost efficiency provided by economic scalability, reuse, and standardization. To support this cost efficiency, the services provided by cloud providers must be flexible enough, unfortunately, integrating security into these service solutions is often seen as making the solution rigid by maximizing the number of users and the market.

Compared with traditional IT systems, this rigidity is often manifested in the inability to deploy the same security control in the cloud environment, this is mainly because of the abstraction of infrastructure, lack of visualization, lack of the ability to integrate a variety of familiar security control measures, especially at the network layer.

The following figure shows these problems: In the SAAs environment, security control and scope are negotiated in the service contract; service levels, privacy and compliance are also related to the contract. In IAAs, security protection at the low-layer infrastructure and abstraction layer is the responsibility of the provider, and other responsibilities belong to the customer. Paas is between the two. providers provide security protection for the platform itself. It is the responsibility of the customer to ensure the security of the applications on the platform and how to securely develop these applications.

Above architecture: key areas of interest

The other 12 domains that constitute cloud security highlight the areas of interest in cloud computing security, and specifically try to solve the hidden risks of strategic and tactical security in the cloud computing environment, this can be applied to the combination of various cloud services and deployment modes.

These domains are divided into two categories: governance and operation. The governance domain has a wide range of strategies and strategies to address the cloud computing environment, while the runtime domain focuses on more tactical security considerations and implementation within the architecture.

4. Summary

When deploying cloud computing models, it is critical to understand how the architecture, technology, processes, and human capital are changing or remain unchanged. If you do not have a clear understanding of the impact on a higher level of architecture, it is impossible to rationally solve those details. Together with the other 12 key domains, this architecture will give readers a solid foundation to evaluate, operate, manage, and manage the security in the cloud computing environment.

Transferred from:

Use IT network and security professionals to define the cloud

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.