CLOUD AND THE GOVERNMENT

DUE TO ECONOMIES OF SCALE, CUTTING-

EDGE TECHNOLOGY ADVANCEMENTS,
AND HIGHER CONCENTRATION OF EXPER-
TISE, CLOUD PROVIDERS HAVE THE POTEN-
Managing Risk
TIAL TO OFFER STATE-OF-THE-ART CLOUD
ECOSYSTEMS THAT ARE RESILIENT, SELF-
REGENERATING, AND SECURE—FAR MORE
SECURE THAN THE ENVIRONMENTS OF
in a Cloud
CONSUMERS WHO MANAGE THEIR OWN
SYSTEMS. This has the potential to greatly benefit
many organizations. The key to successful implemen-
tation of a cloud-based information system is a level
Ecosystem
of transparency into the cloud provider’s service. This
level of transparency allows businesses to build the
necessary trust and to properly weigh the benefits of
adopting such solutions. In this assessment process, Security Risk and Cloud
businesses need to consider the sensitivity of the Information systems risk management (tier 3) is
stored information against the incurred security and guided by the risk decisions at tier 1 and tier 2. In-
privacy risks. For example, the benefits of a cloud- formation security requirements are satisfied by the
based solution would depend on the cloud model, type selection of appropriate management, operational,
of cloud service considered, type of data involved, the and technical security controls from standardized
system’s criticality/impact level, cost savings, service catalogs of security and controls.2–4
type, and any associated regulatory requirements. Volume 1 of National Institute of Standards and
Cloud-based information systems are exposed Technology (NIST) Special Publication (SP) 500-293,
to threats that can have adverse effects on organi- US Government Cloud Computing Roadmap, high-
zational operations (such as missions, functions, lights that boundaries in a cloud ecosystem are more
image, or reputation), organizational assets, individ- complex and therefore renders traditional risk manage-
uals, and other organizations. Malicious entities can ment mechanisms, such as perimeter-based defense
exploit both known and unknown vulnerabilities to mechanisms, less effective.5 Moreover, in a cloud eco-
compromise the confidentiality, integrity, or avail- system, the complex relationships among cloud actors,6
ability of the information being processed, stored,
or transmitted by those systems.
Risk management activities can be grouped
based upon the level at which they address the risk-
related concerns: Michaela Iorga
National Institute of
• organization level (tier 1); Standards and Technology
• mission and business process level (tier 2); and
• information system level (tier 3).

In this article, we focus only on the tier 3 security

risks related to the operation and use of cloud-based Anil Karmel
information systems. To prevent and mitigate any C2 Labs
risks, adverse actions, service disruptions, attacks,
or compromises, organizations need to quantify their
residual risk (that is, the portion of risk remaining af-
ter security measures have been applied1) below the
threshold of the acceptable level of risk.

2325-6095/15/$31 .00 © 2015 IEEE NOVEMBER /DECEMBER 201 5 I EEE CLO U D CO M P U T I N G 51

 CLOUD AND THE GOVERNMENT

the actors’ individual missions, business processes, cumstance or event, multiplied by the likelihood of
and their supporting information systems require an its occurrence. In information security, likelihood of
integrated, ecosystem-wide risk management frame- occurrence is a weighted risk factor based on an anal-
work (RMF) that addresses all cloud actors’ needs. ysis of the probability that a given threat is capable of
As with any information system, for a cloud-based exploiting a given vulnerability. Accordingly, security
information system, cloud actors are responsible for risk assessments focus on identifying where in the
evaluating their acceptable risk, which depends on cloud ecosystem damaging events could take place.
the threshold set by their risk tolerance to the cloud The risk-based approach to managing informa-
ecosystem-wide residual risk. tion systems is a holistic activity that needs to be
In general, organizations have maximum flex- fully integrated into every aspect of the organiza-
ibility in how risk assessments are conducted. Be- tion. An RMF provides a disciplined and structured
cause risk assessments facilitate decision making at process that integrates information security and risk
all three tiers (organization level, mission/business management activities into the system development
process level, and information system level), they’re life cycle. An RMF operates primarily at tier 3 in
key processes of effective risk management and in the risk management hierarchy, but it can also have
maintaining the residual risk below the threshold, interactions at tier 1 and tier 2.
and therefore the methods employed to assess the NIST SP 800-37, Revision 1, Guide for Applying
risks are of crucial importance. We recommend the Risk Management Framework to Federal Infor-
reading NIST SP 800-30, Guide for Conducting Risk mation Systems, introduces a risk management pro-
Assessment, which provides quantitative, qualitative, cess mandated for federal agencies but widely vetted
or semiqualitative methods that use scores or levels, by state and local governments and by private sector
respectively.7 organizations as a best practice for traditional infor-
To effectively manage information security risk mation systems.8 As that document states, defining
at the ecosystem level, the following high-level ele- information system requirements is a critical part of
ments must be established: any system development process and needs to begin
in a system’s initiation phase. Since the security re-
• Assignment of risk management responsibilities quirements are a subset of the overall functional and
to the cloud actors involved in the orchestration nonfunctional requirements, security requirements
of the cloud ecosystem. Internally, cloud actors need to be integrated into the system development
need to further assign responsibilities to their life cycle (SDLC) simultaneously with the func-
senior leaders, executives, and representatives. tional and nonfunctional requirements. Treating
• Establishment of a cloud ecosystem-wide toler- security as a patch or addition to the system and ar-
ance for risk and communication of this risk tol- chitecting and implementing solutions independent
erance through service-level agreements (SLA), of the SDLC is a more difficult process that can in-
including information on decision-making ac- cur higher costs with a lower potential to effectively
tivities that impact the risk tolerance. mitigate risk.
• Near real-time monitoring, recognition, and un- We encourage you to review NIST SP 800-37,
derstanding, by each cloud actor, of the infor- Revision 1, as well, which we use here as a reference
mation security risks arising from the operation framework for the current discussion of applying the
and/or use of the information system leveraging RMF in a cloud ecosystem. For the sake of brevity,
the cloud ecosystem. we won’t review in this article the six steps and the
• Accountability by the cloud actors and near real- tasks described in that document. It’s important to
time information sharing of the cloud actors’ in- note that even though the NIST document addresses
cidents, threats, risk management decisions, and complex information systems composed of multiple
solutions. subsystems operated by different entities, it doesn’t
address cloud-based information systems, or any oth-
Risk is often expressed as a function of the mag- er kind of systems that leverage utility-based resourc-
nitude of harm caused by the occurrence of a cir- es, and hence the need for the current discussion.

52 I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

 When orchestrating a cloud ecosystem for a Figure 1 depicts this RMF for the cloud eco-
cloud-based information system, cloud consumers, as system (RMF4CE) from the cloud consumer’s per-
owners of the data associated with the system, remain spective, showing it as a repeatable process that
responsible for securing the system and the data com- encompasses the entire cloud ecosystem.
mensurate with the data sensitivity. However, cloud In a cloud ecosystem, cloud consumers must es-
consumers’ level of control and direct management tablish the clear demarcation of information-system
varies based on the cloud deployment model. NIST boundaries on all levels in a vendor-neutral manner.
defined in SP 800-145, The NIST Definition of Cloud Furthermore, the cloud consumer must establish
Computing, the cloud, cloud deployment models measures to ensure appropriate protection, regard-
(public, private, hybrid, and community), and cloud less of vendor, ownership, or service level for the
service models (infrastructure as a service [IaaS], cloud-based information system.
platform as a service [PaaS], and software as a service
[SaaS]).9 In an IaaS cloud, the cloud consumer man- Cloud Provider’s Risk Management Process
ages the top part of the functional stack above the A cloud provider’s selection and implementation of
hypervisor, while the consumer-managed functional its security and privacy controls consider their ef-
stack proportionally decreases for a PaaS cloud and fectiveness, efficiency, and constraints based on the
is reduced to a minimum in a SaaS cloud ecosystem. applicable laws, directives, policies, standards, or
The RMF introduced in NIST SP 800-37, Re- regulations with which the provider must comply.
vision 1 is applicable by a cloud actor to the layers The cloud consumers’ specific requirements and
of the functional stack that are under management. mandates are unknown and therefore are projected
In a simplified cloud ecosystem model, which is or- as a generic core set.
chestrated only by the cloud consumer and the cloud Cloud providers have significant flexibility in
provider, the cloud provider applies the RMF to the determining what constitutes a cloud service and
lower part of the stack, which is built as part of the therefore its associated boundary, but at the time
service offered. Cloud consumers will apply the the system is architected and implemented, they can
RMF to the upper functional layers, the ones built only assume the nature of data their cloud consum-
and deployed on top of the cloud infrastructure of- ers will generate. Therefore, the security and privacy
fered as a service. controls selected and implemented by a cloud pro-
However, prior to acquiring a cloud service, a vider are sets that meet the needs of a large number
cloud consumer needs to analyze the risk associated of potential consumers. However, the centralized
with adopting a cloud-based solution for a particular nature of the offered cloud service enables a cloud
information system, and plan for the risk-treatment provider to engineer highly technical, specialized se-
and risk-control activities associated with the cloud- curity solutions that can provide a higher security
based operations of this system. To do so, a cloud posture than that in traditional IT systems.
consumer needs to gain the perspective of the en- Applying standardized or well-vetted approaches
tire cloud ecosystem that will serve the operations to cloud service risk management is critical to the
of their cloud-based information system. Cloud con- success of the entire cloud ecosystem and its sup-
sumers must also apply the RMF in a customized ported information systems. Since the offered cloud
way that allows them to service is directly managed and controlled by the
cloud provider, applying the RMF to this system
• perform a risk assessment, doesn’t require additional tasks beyond those of a
• identify the best-fitting cloud architecture, classical IT system; therefore, a risk management
• select the most suitable cloud service, approach like the one discussed previously is a good
• gain necessary visibility into the cloud offering, example of a broadly accepted, well-vetted approach.
and It’s important to note that a cloud ecosystem’s
• define and negotiate necessary risk treatment and security posture is only as strong as the weakest
risk control mitigations before finalizing the SLA subsystem or functional layer. Since a cloud pro-
and proceeding with the security authorization. vider’s reputation and business continuity depend

NOVEMBER /DECEMBER 201 5 I EEE CLO U D CO M P U T I N G 53

 CLOUD AND THE GOVERNMENT

S
Saa

S
Paa

IaaS

RMF consumer
You manage
RMF4CE

RMF4CE

RMF provider

FIGURE 1. Applying a risk management framework (RMF) to a cloud ecosystem (RMF4CE). (Functional stack image courtesy of
Cloud Security Alliance, 2009)

on the smooth operation and high performance of • identify all cloud-specific, risk-adjusted security
their consumers’ solutions, when applying the RMF and privacy controls;
a cloud provider aims to compensate for possible • request from the cloud providers and brokers
weakness in their cloud consumers’ solutions. (when applicable and via contractual means)
service agreements and SLAs where the cloud
Cloud Consumer’s Risk Management providers are responsible for implementing se-
Process curity and privacy controls;
For successful adoption of a cloud-based information • assess the implementation of said security and
system solution, the cloud consumer must be able to privacy controls; and
clearly understand the system’s cloud-specific charac- • continuously monitor all identified security and
teristics, the architectural components for each service privacy controls.
type and deployment model, and the cloud actors’ roles
in establishing a secure cloud ecosystem. Further- Since the cloud consumers directly manage and
more, it is essential to cloud consumers’ business and control the functional capabilities they implement,
mission-critical processes that they have the ability to applying the RMF to these functional layers doesn’t

54 I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

require more tasks or operations than necessary in a systems by incorporating the outcome into the terms
classical IT system; therefore, the risk management and conditions of the contracts with external cloud
approach discussed earlier is a good example of a providers and cloud brokers. Performance aspects of
broadly accepted, well-vetted approach. these terms and conditions are also incorporated into
With cloud-based services, some subsystems or the SLA, which is an intrinsic part of the security
subsystem components fall outside the direct control authorization process and of service agreements be-
of a cloud consumer’s organization. Since a cloud- tween the cloud consumer, provider, and broker (when
based solution doesn’t inherently provide the same applicable). Contractual terms should include guaran-
level of security and compliance as the traditional IT tees of the cloud consumer’s timely access to or the
model, being able to perform a comprehensive risk as- provider’s timely delivery of cloud audit logs, continu-
sessment is key to building trust in the cloud-based ous monitoring logs, and any user access logs.
system as the first step in authorizing its operation. The approach covered by the steps in Table 1
Cloud characteristics often present a cloud con- enables organizations to systematically identify their
sumer with security risks that are different from common, hybrid, and system-specific security con-
those in traditional information technology solu- trols and other security requirements to procure-
tions. To preserve the security level of their infor- ment officials, cloud providers, carriers, and brokers.
mation system and data in a cloud-based solution,
cloud consumers must be able to identify all cloud-
specific, risk-adjusted security and privacy controls BEFORE ADOPTING A CLOUD-BASED SO-
in advance of cloud service acquisition. They must LUTION FOR AN INFORMATION SYSTEM,
also request from the cloud providers and brokers, CLOUD CONSUMERS MUST DILIGENTLY
through contractual means and SLAs, that all secu- IDENTIFY THEIR SECURITY REQUIREMENTS.
rity and privacy components are identified and that In addition, they must assess each prospective ser-
their controls are fully and accurately implemented. vice provider’s security and privacy controls, nego-
Understanding the relationships and interde- tiate SLAs and service agreements, and build trust
pendencies between the different cloud computing with the cloud provider before authorizing the ser-
deployment models and service models is critical to vice. A thorough risk analysis coupled with the se-
understanding the security risks involved in cloud cure cloud ecosystem orchestration introduced here,
computing. The differences in methods and re- along with adequate guidance on negotiating SLAs,
sponsibilities for securing different combinations are intended to assist cloud consumers in managing
of service and deployment models present a signifi- risk and making informed decisions when adopting
cant challenge for cloud consumers. They need to cloud services.
perform a thorough risk assessment to accurately
identify the security and privacy controls necessary References
to preserve their environment’s security level as part 1. National Information Assurance (IA) Glossary,
of the risk treatment process, and to monitor the Committee on National Security Systems In-
operations and data after migrating to the cloud in struction No. 4009, Apr. 2010; www.ncsc.gov/
response to their risk control needs. nittf/docs/CNSSI-4009_National_Information
In general, a cloud consumer adopting a cloud- _Assurance.pdf.
based solution needs to follow the same RMF steps 2. National Institute of Standards and Technology,
discussed earlier in addition to the tasks listed in Security and Privacy Controls for Federal Infor-
Table 1. The table aligns risk management activities mation Systems and Organizations, NIST Special
with their corresponding steps from NIST SP 800- Publication 800-53, Revision 4, 2013; http://
37, Revision 1, and provides additional tasks (in ital- nvlpubs.nist.gov/nistpubs/SpecialPublications/
ics) that map to Figure 2. NIST.SP.800-53r4.pdf.
The RMF applied to the cloud ecosystem from 3. International Organization for Standardization, In-
the consumer’s perspective can be used to address the formation Technology—Security Techniques—In-
security risks associated with cloud-based information formation Security Management—Requirements,

NOVEMBER /DECEMBER 201 5 I EEE CLO U D CO M P U T I N G 55

 CLOUD AND THE GOVERNMENT

Table 1. Risk management framework (RMF) applied to a cloud ecosystem from a cloud consumer’s perspective.
NIST
Risk management SP 800-37
activities RMF steps Description
Risk assessment 1. Categorize Categorize the information system and the information processed, stored, and
(analyze cloud transmitted by that system based on a system impact analysis. Identify operational,
environment to performance, security, and privacy requirements.
identify potential
vulnerabilities and 2. Select Identify and select functional capabilities for the entire information system.
shortcomings) (includes Identify and select the associated baseline security controls based upon the system’s
evaluate- impact level, and the privacy controls.
select- Tailor and supplement the security controls by selecting enhancements and/or
negotiate) additional controls deemed necessary.

Identify and select best-fitting cloud architecture for this information system.

Evaluate/review cloud providers that meet consumer’s criteria (architecture, functional

capabilities, and controls).

Select cloud provider(s) that best meet(s) the desired architecture and the security
requirements (ideally should select the provider that provides as many controls as
possible to minimize the number of controls that will have to be tailored).
In the process, identify the controls that will be implemented by the consumer, the
controls implemented by the provider as part of the offering, and the controls that need
to be tailored (via compensating controls and/or parameter selection).

Negotiate SLA, metrics, and sign service agreement as part of the procurement process.
Document all the controls in the security plan. Review and approve the security plan.

Risk treatment 3. Implement Implement security and privacy controls for which the cloud consumer is responsible.
(design mitigation
policies and plans) 4. Assess Assess the cloud provider’s implementation of the tailored security and privacy controls.

Assess the implementation of the security and privacy controls, and identify any
inheritance and dependency relationships between the provider’s controls and
consumer’s controls.

5. Authorize Authorize the cloud-based information system to operate.

Risk control 6. Monitor Continuous/near real-time monitoring of operations and effectiveness of the security
(risk monitoring— and privacy controls under consumer’s management.
surveying, reviewing
events, identifying Continuous/near real-time monitoring of cloud provider’s operations related to the
policy adjustments) cloud-based information system and assessment of the systems’ security posture.

Reassess and reauthorize (periodic or ongoing) the cloud provider’s service.

ISO/IEC 27001, 2013; www.iso.org/iso/home/ iso/home/store/catalogue_tc/catalogue_detail

store /cat a log ue _ tc /cat a log ue _ det a i l.ht m? .htm?csnumber=54533.
csnumber=54534. 5. L. Badger et al., US Government Cloud Comput-
4. International Organization for Standardiza- ing Technology Roadmap, NIST Special Publi-
tion, Information Technology—Security Tech- cation 500-293, volumes 1 and 2, 2014; http://
niques—Code of Practice for Information Security nvlpubs.nist.gov/nistpubs/SpecialPublications/
Controls, ISO/IEC 27002, 2013; www.iso.org/ NIST.SP.500-293.pdf.

56 I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

 Step 6: Step 1:
Ongoing monitoring of Impact analysis
Cate
consumer’s controls or gor System categorization
nit ize
Ongoing monitoring of Mo trol
provider’s operations k con Step 2:
Ris Ri Identify and select capabilities
Reauthorize provider s

ka
Select baseline controls

sse
Step 5: Tailor and supplement controls

sm
ent
Authorize cloud-based

Select
Identify and select best
Authorize

information system RMF fitting cloud architecture

(based upon residual Cloud ecosystem
risk and risk tolerance) consumer’s global view Select cloud provider
Negotiate SLA, metrics,
sign contract
Develop security plan
Step 4:
Assess security controls R is Step 3:
As k tr
managed by provider se e at m n t Implement security controls
ss e nt me
le under consumer’s management
Assess security controls Imp
managed by consumer

FIGURE 2. Cloud consumers’ view of the risk management framework (RMF) applied to a cloud ecosystem.

6. F. Liu et al., NIST Cloud Computing Refer- sics and privacy, information assurance, and feder-
ence Architecture, NIST Special Publication ated identity and credential management issues in
500-292, 2011; www.nist.gov/customcf/get_pdf the cyberspace. Iorga has a PhD in engineering from
.cfm?pub_id=909505. Duke University. Contact her at michaela.iorga@nist
7. National Institute of Standards and Technology, .gov.
Guide for Conducting Risk Assessment, NIST Spe-
cial Publication 800-30, Revision 1, 2012; http:// ANIL KARMEL is the cofounder and CEO of C2
csrc.nist.gov/publications/nistpubs/800-30-rev1/ Labs as well as the cochair of the National Institute
sp800_30_r1.pdf. of Standards and Technology’s Cloud Security Work-
8. National Institute of Standards and Technology, ing Group. His research interests include cloud com-
Guide for Applying the Risk Management Frame- puting security and privacy, secure DevOps, and
work to Federal Information Systems: A Security container and microservices security. Karmel has a
Life Cycle Approach, NIST Special Publication bachelor of science degree from the University of Il-
800-37, Revision 1, 2010; http://nvlpubs.nist.gov/ linois, Urbana/Champaign. Contact him at akarmel
nistpubs/SpecialPublications/NIST.SP.800-37r1 @c2labs.com.
.pdf.
9. P. Mell and T. Grance, The NIST Definition of
Cloud Computing, NIST Special Publication
800-145, 2011; http://csrc.nist.gov/publications/
nistpubs/800-145/SP800-145.pdf.

MICHAELA IORGA is senior security technical

lead for cloud computing at the National Institute
of Standards and Technology. Her current research Selected CS articles and columns are also available
for free at http://ComputingNow.computer.org.
interests include cloud computing security, foren-

NOVEMBER /DECEMBER 201 5 I EEE CLO U D CO M P U T I N G 57