Cloud Security as an Interconnection

Connecting your information system to a cloud is an interconnection. NIST guidance on handling the security of interconnections is documented in SP 800-47 “Security Guide for Interconnecting Information Technology Systems”.

The security protections required for an interconnection will depend upon the nature of the connection being established. If the connection uses a clearly limited profile of communication protocol, authentication process, encryption, type of data, etc, then the requirements are not likely to be strenuous. On the other hand, if there are few limits to how the connection can be used, a complete evaluation of the security risk involved will be needed. The end product is a satisfactory trust level that the risk being adopted by connecting to another system is both fully understood and acceptable, either as it is, or because it can be handled by some protective measure.

Security control CA-3 “INFORMATION SYSTEMS CONNECTIONS” requires federal agencies to:

  1. Authorize connections to other systems
  2. Document the nature of the connection
  3. Monitor the connection on an ongoing basis

This process can be complex and require a major effort or it can be simple and easy, depending upon the systems, the connection, the maturity of the security program, and the differences in these factors at each end.

When you analyze your own risk and the security protections that are in place to limit risk, you have an ability to scrutinize your own environment and systems. You know what level of protections are in place and you have a good idea of how far to trust them. When you use a cloud provider, you are turning over some of your operations to a foreign environment, with systems and protections that are not as available and likely more difficult to trust in the same way.

It becomes important to specify what your exposures are in the cloud environment, how well their protections work, and what knowledge you will need to establish a high level of trust in them. Building a mutual understanding of these issues is at the heart of interconnection security and it is no different with cloud security. Actions and responsibilities vary substantially with the level of service being supplied by the cloud provider. If they are only serving Infrastructure As A Service (IAAS), then they have no part in the operating system and application issues. When they provide Platform As A Service (PAAS), then they are responsible for OS issues but not for applications. With Software As A Service (SAAS) they will likely have most of the responsibility for the OS and applications. Monitoring, auditing, incident response, inventory, and other normal security processes have to be explicitly defined in terms of who is doing what, who is responsible for what and how mutually important information will be shared across the boundary line.

FEDRAMP (Federal Risk and Authorization Management Program) is a program that offers a standardized process to authorize cloud systems using a modified set of NIST SP 800-53 controls. The intent is to offer cloud security assessments and authorizations that will supply the needed trust level. Most of the “modifications” are not in baseline controls, but are control enhancements that are available but not specified in the standard baselines. FEDRAMP requires these additional enhancements to be in place and also adds specific values for some of the ODPs (Organizationally Defined Parameter) that can make a control more strenuous.

SEE ALSO:
Cloud Security Layers
Interconnection Security
System Characterization
SDLC Framework

Comments are closed.