Cloud Security

A HIGH Impact Baseline for Clouds

FEDRAMP (FEDeral Risk and Authorization Management Program) offers baselines of 800-53 security controls that have been tailored for cloud environments. But they do not offer a HIGH impact baseline. Presumably, HIGH impact systems will use private clouds that exist inside the authorization boundary of the federal agency that implements them. FEDRAMP requirements do not apply […]

Hidden Expenses in Cloud Computing

Cloud computing may not deliver the cost savings that everybody seems to expect. The general computing community seems to take it for granted that the driving reason for moving to a cloud is a great reduction of costs. While it is true that cloud operations can offer some reductions in hardware and head count costs, […]

Clouds Will Become APT Targets

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST SP 800-145 Advanced Persistent Threat APT or Advanced Persistent Threat describes cyber […]

Security Metrics for Clouds

A previous article here on general Security Metrics (see link below) outlined some key security controls for measurement: CM-8 INFORMATION SYSTEM COMPONENT INVENTORY RA-5 VULNERABILITY SCANNING SI-4 INFORMATION SYSTEM MONITORING SI-3 MALICIOUS CODE PROTECTION AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING SI-2 FLAW REMEDIATION IR-5 INCIDENT MONITORING CM-3 CONFIGURATION CHANGE CONTROL CA-5 PLAN OF ACTION AND […]

Cloud Security as an Interconnection

Connecting your information system to a cloud is an interconnection. NIST guidance on handling the security of interconnections is documented in SP 800-47 “Security Guide for Interconnecting Information Technology Systems”. The security protections required for an interconnection will depend upon the nature of the connection being established. If the connection uses a clearly limited profile […]

Cloud Security Layers

Situational awareness is one of the most difficult things to get right in doing cloud security, and hand in hand with that goes inventory awareness. To understand why, take a look at the layers involved with cloud security: Facility physical environment – the building and physical environment in which the data center infrastructure resides Infrastructure […]