When Security, Privacy and Forensics Meet in the Cloud

March 26, 2015

When Security, Privacy and

Forensics Meet in the Cloud

Dr. Michaela Iorga,

Senior Security Technical Lead for Cloud Computing Co-Chair, Cloud Security WG

2

NIST MISSION:

To promote U.S. innovation and industrial competitiveness by advancing measurement

science, standards, and technology in ways that enhance economic security and improve our quality of life

*Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector

Privacy

Engineering Project

• Standards for Security Categorization of Federal Information and Information Systems (FIPS 199); Feb 2004

• Guide for Mapping Types of Information and Information Systems to Security Categories (SP 800-60 Rev. 1); Aug 2008

• Minimum Security Requirements for Federal Information and Information Systems (FIPS 200); Mar 2006

• Security Considerations in the System Development Life Cycle (SP 800-64 Rev. 2); Oct 2008

• Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010 • Managing Information Security Risk: Organization, Mission, and Information

System View (SP 800-39); Mar 2011

• Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012 • Security and Privacy Controls for Federal Information Systems and

4

• Performance Measurement Guide for Information Security (SP 800-55 Rev. 1); Jul 2008

• Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev. 1); May 2010

• Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137); Sep 2011

• Computer Security Incident Handling Guide (SP 800-61 Rev. 2); Aug 2012

• DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems (SP 800-160 Draft); May 12, 2014

• DRAFT Supply Chain Risk Management Practices for Federal Information Systems and Organizations SP 800-161 (Second Draft); Jun. 3, 2014

• Cloud-Adapted Risk Management Framework: Guide for Applying the Risk

Management Framework to Cloud-based Federal Information Systems (SP 800-173); work in progress

• Security and Privacy Controls for Cloud-based Federal Information Systems (SP 800-174); work in progress

5

What Privacy means to you?

Cybersecurity Information Sharing Act :

“Senator Richard Burr argued that it

successfully balanced security and privacy”

“

Critics

still have two fundamental

problems”:

a) “Proposed cybersecurity act won’t boost

security;”

b) “’information sharing’ it {CISA) describes

sounds more than ever like a backchannel

for surveillance.”

“The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat “notwithstanding any other provision of law.”

NIST: Research – Challenging Security Requirement for the USG Cloud Adoption, (whitepaper)

MeriTalk:

Why Do We

Fear the Clouds ?

- Searching For

an Answer -

1.... If I like it, it's mine.

2.... If it's in my hand, it's mine.

3.... If I can take it from you, it's mine. 4.... If I had it a little while ago, it is mine.

5.... If it's mine, it must never appear to be yours in any way.

6.... If I'm doing or building something, all the pieces are mine.

7.... If it looks just like mine, it's mine. 8.... If I saw it first, it's mine.

9.... If you are playing with something and you put it down, it automatically becomes mine. 10.... If it is broken, it's yours.

*NIST SP 800-39: Managing Information Security Risk; Organization, Mission, and Information System View

Trust & Trustworthiness (NIST SP 800-39*)

① Validated Trust. One organization obtains a body of evidence regarding the actions of another organization and uses that evidence to establish a level of trust with the other organization.

② Direct Historical. The track record exhibited by an organization in the past is used to establish a level of trust with other organizations.

③ Mediated Trust. An organization establishes a level of trust with another organization based on assurances provided by some mutually trusted third party.

④ Mandated Trust. An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority.

⑤ Hybrid Trust. An organization uses one of the previously described models in conjunction with another model(s).

Hybrid Trust. An organization uses one of the previously described models in conjunction with another model(s).

“Trust is an important concept related to risk management. How organizations

approach trust influences their behaviors and their internal and external trust

relationships. […] The reliance on IS services results in the need for trust

Predictability

Manageability

Unlinkability

(or)

Obscurity

• Predictability: Enabling reliable assumptions by individuals and system participants about what personal information is being processed, by whom, and why.

• Manageability: Providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure.

• Obscurity/ Unlinkability- Enabling the processing of personal information or events in an information system without association to individuals beyond the operational requirements of the system.

Privacy Risk

Likelihood

of

Problematic

Data

Actions

Impact

Personal

Information

Context

Data

Actions

AIMING AT MORE THAN

WHAT ISO/IEC 27018

Consumer’s Level of Control & SP 800-37 RMF

IaaS PaaS SaaS

You ma

nage

Stack image source: Cloud Security Alliance specification, 2009

RM F RM F RM F Clo u d -adap ted RMF Clou d -ad ap te d RM F Clou d -ad ap te d RM F

Trustworthiness requires visibility into Provider’s practices and risk/information

security decisions to understand risk tolerance. But level of trust can vary & the

accepted risk depends on the established trust relation.

RM

F RM

SP 500-299

NIST’s Work – Helps Consumers Deal With an

Iceberg Architecture

Risk Management Framework (SP 800-37)

Step 1: Categorize Information System Step 2: Select Security Controls

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Step 5: Authorize Information System

Step 6: Monitor Security Controls (Repeat process as necessary)

Cloud-adapted Risk Management Framework

(SP 800-173)

Step 1: Categorize Federal Information System Step 2: Identify Security Requirements, perform a Risk Assessment & select Security Controls

Step 3: Select best-fitting Cloud Architecture

Step 4: Assess Service Provider(s) & Controls

Step 5: Authorize Use of Service

Step 6: Monitor Service Provider (on-going, near- real- time); Repeat process as necessary

CRM

F

RMF

consumer

RMF

provider

Stack - image source: Cloud Security Alliance specification, 2009

NIST SP 800-173:

Cloud-adapted Risk Management Framework

CRM

F

RMF

consumer

RMF

provider

Stack - image source: Cloud Security Alliance specification, 2009

CRMF

Cloud-adapted Risk Management Framework –cont.

1. Follows NIST RMF (SP 800-37 Rev1) structure 2. Discusses the impact of cloud computing architecture (deployment model & service type), and cloud characteristics (multi-tenancy,

resource-pooling, elasticity, etc.) on “Information System Boundary”.

3. Introduces the “Security Conservation Principle” & “Privacy Conservation

Principle”

4. Discusses the notion of TRUST in a

cloud ecosystem, and introduces the notion of TRUST BOUNDARY

CR

MF

RMF

RMF

Risk Management Framework (SP 800-37 Rev1) :

Step 1: Categorize Information System

Step 2: Select Security Controls

Step 3

:

Implement Security Controls

Step 4

:

Assess Security Controls

Step 5:

Authorize Information System

Step 6:

Monitor Security Controls

(Repeat process as necessary)

Cloud-adapted Risk Management Framework

(SP 800-173, draft):

Step 1: Categorize System to be migrated

Step 2: Identify Security Requirements, perform

a Risk Assessment & select Security Controls

Step 3

:

Select best-fitting Cloud Architecture

Step 4:

Assess Service Provider(s) & Controls

Step 5

:

Authorize Use of Service

Step 6:

Monitor Service Provider [on-going,

near-real-time ] (Repeat process as necessary)

Stack - image source: Cloud Security Alliance specification, 2009

Step 1 :

Categorize Federal Information System

Step 2 :

Identify Security Requirements, perform a Risk Assessment & select Security Controls

deemed necessary.

Step 3 :

Select best-fitting Cloud Architecture

Cloud-adapted Risk Management Framework –cont.

Step 4

: Assess Service Provider(s) & Broker (if applicable)



leverage FedRAMP P-ATOs

or Agency-ATOs, or assess the controls



build necessary TRUST that the residual

risk is acceptable

Step 5

: Authorize Use of Service



negotiate SLAs & Security SLA

Step 6:

Monitor Service Provider(s) (on-going, near- real- time); Repeat process as necessary

User -d at a B oun d ar y User -d at a B oun d ar y

Distributed Architecture =

Split Control & Responsibilities



Security Conservation Principle

Cloud Clients

(Browsers, Mobile Apps, etc.)

Software as a Service (SaaS) (Application , Services)

Infrastructure as a Service (VMs, Load Balancers, DB, etc.)

Physical Hardware

(Servers, Storage, Networking) Platform as a Service (PaaS) (APIs, Pre-built components) CLOUD ENVIRONMENT

CLOUD ECOSYSTEM

Privacy Conservation Principle

- Privacy Coin -

What is the difference?

User’s Privacy vs. Data Privacy

User -da ta Bo un dar y User -d at a B oun d ar y

Privacy Enhanced User & Data Protection

Defense mechanisms:

1. Encryption

 Concerns: Key management 2. Simple anonymization

 Concerns: Deanonymization when auxiliary data is

available, Limited applicability (statistical datasets).

3. Differentially-privatized data

 Concerns: Limited applicability (statistical datasets). Accuracy concerns.

Can differential privacy protect Consumers against “nosey” cloud Providers?

Synthetic Meta-Data

Sharing raw sensitive data beyond the original trusted entity (system owner) introduces the risk of a variety of harms to individual’s privacy:

• Stigmatization • Power Imbalance • Loss of Liberty

• Economic Loss (identity theft) [NIST Privacy Engineering Objectives

When Things Go Wrong in the

Cloud…

1. Segregation of potential evidence in a multi-tenant system

2. Locating and collecting volatile data

3. Evidence correlation across multiple cloud Providers 4. Malicious code may circumvent virtual machine isolation methods

5. Ease of anonymity and creating false personas online

6. e-Discovery

7. Evidence correlation of multiple copies at different geo-locations

8. Data deletion - a) deleted when needed for investigations. b) often reveals information about others

(overwritten)

10 Confidentiality and PII

9 Root of trust 9 E-discovery

8 Deletion in the cloud 8 Lack of transparency

7 Timestamp synchronization 7 Use of metadata

7 Multiple venues and geolocations

7 Data integrity and evidence preservation

6 Recovering overwritten data 6 Cloud confiscation and resource

seizure

6

Potential evidence segregation

6

Secure provenance

6

Data chain of custody

6

Chain of dependencies

6

Locating evidence

6

Locating storage media

6

Evidence identification

6

Dynamic storage

6

Live forensics

6

Resource abstraction

6

Ambiguous trust boundaries

6

Cloud training for investigators

Highest Priority Challenges & Scores

From NIST IR 8006: DRAFT NIST Cloud Computing Forensic Science Challenges

http://csrc.nist.gov/publications/PubsNISTIRs.html

25

Additional Information

NIST Cloud Computing Collaborative Twiki:

http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudSecurity

NIST Cloud Home Page:

http://www.nist.gov/itl/cloud

Questions?

Thank you !