Professional Documents
Culture Documents
AnalysisofNISTSP800-53Rev 3controls
AnalysisofNISTSP800-53Rev 3controls
net/publication/326414873
CITATIONS READS
0 227
2 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Muhammad Imran Tariq on 22 August 2019.
CITATIONS READS
0 260
1 author:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Muhammad Imran Tariq on 18 May 2016.
Abstract— Cloud computing has brought new innovations applications development framework, machines and
in the paradigm of information technology (IT) industry operating system services to its customers. Cloud computing
through virtualization and offering low price services on pay- has several advantages over the traditional computing but it
as-per-use basis. Since the development of cloud computing, has several constraints that are roadblock in the complete
several issues like security, privacy, cost, load balancing, power deployment of cloud computing. Security, privacy, cost,
consumption, scheduling algorithms are still under research. A energy balancing, load balancing, power consumption,
threat agent is an attacker, intruder and/or employee that scheduling algorithms are some of the major constraints that
takes the benefits of the vulnerabilities and risks in the system. organizations are facing in the deployment of cloud
There are different information security standards, computing [3, 4].
governance and security frameworks, and guides to protect the
organizations to protect from threat agents. In this research In computer security, threat always exploits the
cloud vulnerabilities and risks have been identified that can be vulnerability of the system to breach security and becomes
exploited by the threat agent and mapped into renowned harmful [5]. A threat agent is an entity that has capability of
information security standard NIST SP 800-53 Rev.3 to check carrying out attack on the cloud. The security and privacy
whether the standard provides claim security to cloud users. issues are exploited by the threat agent. Threat agent either
exploits internal (malicious insider) or external
Keywords—Threat Agent; Information Security; Cloud vulnerabilities. It acts as an anonymous attacker, malicious
Computing; NIST SP 800-53 Rev.3component.
service agent, trusted attacker and malicious insider [6, 7].
I. INTRODUCTION The vulnerability is a major risk factor. There are
number of chances for an asset to be unable to resist the
Cloud computing has four deployment models like action of a threat agent. The cloud organizations deployed
private cloud, community cloud, public cloud and hybrid different information security standards to secure their
cloud. In private cloud, the organization builds its own organization. Standard organizations have recently
infrastructure and manages the system and services as well. developed information security standards particularly for the
The community cloud is managed by a group of cloud computing but still cloud organizations are using
organizations/entities with common tasks while in public traditional information security standards for their
cloud, the organization render different services of cloud organizational security.
services provider (CSP) as per its requirements, system and
services are provided to general public and use it as long as The main objective of this research is to analyze whether
the organization requires [1]. The hybrid cloud is a the renowned information security standard NIST SP 800-53
combination of private cloud and public cloud. It has Rev.3 provide security against the threat agent [8]. Section II
characteristics of all deployment models. Private and public of this research paper describes about the NIST SP 800-53
clouds are connected with each other through gateways, share Rev.3 and Section III describes the identified cloud risks that
data, applications and resources. There is no location binding are mapped to the NIST 800-53 Rev. 3 to know the
on hybrid cloud, it may located at private organization importance of the standards of cloud computing. In section
premises or Cloud Service Provider premises [2]. IV of this paper, we critically analyze the standard with
detail and information. Section V presents the justification
Cloud computing has three service models like software and validation of the work we have done in previous sections
as a service (SaaS) wherein the cloud customer render the and in Section VI we have proposed recommendations to
cloud applications and its maintenance services from CSP. meet the standards of cloud computing. The last section of
Salesforce, dropbox and google drive are the examples of the research paper is conclusion and future work for the
SaaS. The infrastructure as service (IaaS) has provided presented research work.
hardware, storage and infrastructure related services.
Amazon EC2 and Rackspace are examples of IaaS. Platform
as service (PaaS) provides environment, tools, libraries to
88
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016
The NIST SP 800-53 Rev.3 standard provides a security Sr. Name of Risk Sr. Name of Risk
control directory to be applied in Federal Information System No. No.
31. Private information
(FIS) [8]. This standard has approximately all types of 1. Loss of Governance becomes public without
controls to meet the requirements of information security and customer notice
risk management. The implementation of this guide will help 2. Lock-in 32. Subpoena and e-discovery
the organization to create a secure information security 3. Improper Backup
33. The Cloud provider
system and effective risk management system by: suspends service
34. The Cloud provider
4. Network Failure
terminates service
35. Unavailability of
• Facilitating organizations to select appropriate 5.
Improper Hardware
operational information
governance and failure
security controls from standard for security systems and
Third parties 36.
• Defining the minimum level of security controls 6. communication and
Data jurisdiction is not
required for information management systems controlled by customer
service change risks
Unsafe working 37.
• Foundation for creating the evaluation methods and 7.
environment
Restricted support access
actions to decide the effectiveness of the security Distributed Denial of 38.
8. Business continuity
controls in standard Service
9. Regularity Requirements 39. Isolation failure
• Improving communication among organizations to Service provider human 40. Over-usage of shared
discuss risk management 10.
error resources
41. Non compliance with
11. License risks client instructions relating
to data processing
The standard covers a wide range of audience like Loss of customer account 42. Data access and associated
information security professionals, project managers, 12.
and configuration data logs
information security system product developers, auditors, 43. Ambiguous security
13. Delayed response
inspector general, information security service providers, responsibilities
information security administrators and information security 14.
Insecure or ineffective 44. Malicious code imbedded
managers. deletion of customer data in software
45. Insecure equipment
15. Data interception
disposal
III. CLOUD RISK IDENTIFICATION 16. Theft of Data
46. Improper security update
policy
This section describes the identification of risks and 17. Theft of Computer 47. Lack of technical resources
related work to identify the cloud risks. Many cloud risks Loss of data ownership 48.
have been identified and the use of precise approach i.e. risks 18. Insecure data storage
within network
assessment used by other experts in the field of cloud has 19.
Loss of control over 49. Insufficient cryptographic
been adopted. By studying this approach, various cloud paper based information management
related risks with different levels have been observed. It is a Vulnerabilities in Backup 50. Undependable service
20.
System engine
well-organized process to identify vis-à-vis customer
21. Loss of encryption keys 51. Malicious employees
concerns in the cloud. The risk identified by the various 52. Economical denial of
government agencies, cloud security and other risks 22. Privilege escalation
service
identified by individual experts were also taken into account Social engineering 53. Cloud service provider
23.
in the process of risk identification [9]. The risks are also attacks acquisition
classified according to their severity and the taxable value. 54. Compliance to
24. Wireless network breach
Cloud risks are given in Table I. Although Table I is International Standards
55. Supply Chain Management
comprehensive and covers nearly all public risks searched 25. Unauthorized access
Failure
during the investigation [10]. 56. Non-compliance with legal
26. Malicious insider
requirements
The goal of this section is to know how much cloud 57. Noncompliance with data
service provider offers security to its customers by the Third party personal
27. protection law
implementation of security standards from threat agents. The breaches
requirements
ultimate goal is to identify and mitigate risks exploited by the 28.
Improper highlight 58.
Loss of customer privacy
threat agents in the cloud. Numerous risks challenged by the Security breaches
threat agents have been identified during the investigation Poor implementation of 59. Loss of intellectual
29.
security plan property
process, but few ones are omitted from the list given in Table Interfacing with third
1 because they are not related to the cloud. For example, the 30.
parties has vulnerabilities
service providers do not provide sufficient resources to cloud
customer and it is one of the risks that must be managed.
89
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016
Design and configuration of the network is another SC family is 25% and CM family is 22% effective for cloud
condition of risks that must be managed. The cloud system is related risks mitigation. This quantitative analysis also shows
still well managed and established by the cloud service that the cloud organization have to mainly focus on AC
provider to confirm that all network goals are met in terms of family, SA family, SC family and CM family for
security, confidentiality and privacy. Moreover, some legal implementing NIST SP 800-53 Rev.3 for Information
and technical vulnerabilities were also not taken into Security. Fig. 2 shows the effectiveness of NIST SP 800-53
consideration because they are not value-able. Risks of Rev.3 processes for cloud computing.
traditional networks like no DHCP server settings and active
directory failure has also been excluded [11].
The risks that are not described in this section are not
related to cloud but this does not mean that these risks are
not worthwhile. Cloud organizations must take necessary
action to resolve these risks.
90
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016
91
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016
many other organizations that are working on the cloud Controls for Federal Information Systems - NIST IT
security issues. While studying the approach, a number of Security', 2011. [Online]. Available:
http://www.nist.org/nist_plugins/content/content.php?c
risks have been identified and took into consideration. But ontent.18. [Accessed: 01- Oct- 2015].
only the important have been included in the risk dataset to [9] Security guidance for critical areas of focus in cloud
check the level of international security standard i.e. NIST computing, Cloud Security Alliance, 2011.
SP 800-53 Rev. 3. [10] M. Tariq, Providing Assurance to Cloud Computing
The detailed analysis of each process and control of the through ISO 27001 Certification: How Much Cloud is
Secured After Implementing Information Security
standard has been carried out and it was revealed that NIST Standards. CreateSpace, 2015, p. 134.
SP 800-53. Rev. 3 had no cloud specific controls to mitigate [11] A. Aich, A. Sen and S. Dash, 'A Survey on Cloud
all risks that were identified and given in the presented work. Environment Security Risk and Remedy', 2015
Despite of this, it is widely used for the implementation of International Conference on Computational Intelligence
information security within an organization. NIST SP 800-53 and Networks, 2015.
Rev. 4 has a number of cloud relevant controls that may be [12] FISMA, 'NIST Computer Security Division - FISMA
useful to implement the information security. ISO / IEC WD Implementation Project', 2014. [Online]. Available:
http://csrc.nist.gov/groups/SMA/fisma/index.html.
27017 and ISO / IEC 27018 standards are relevant to the [Accessed: 01- Oct- 2015].
management of information security, security controls for the [13] NIST, NIST Special Publication 800-53 (Rev. 4), 2013.
use of cloud computing and data protection controls for the [Online]. Available: https://web.nvd.nist.gov/view/800-
public cloud computer respectively. 53/Rev4/home. [Accessed: 01- Oct- 2015].
Future work of the research is a continuation of this
research. An intensive analysis of the existing security
agents will be carried out to dig out the cloud security areas
that can be compromised and its improvement is required in
order to implement better security in cloud organization.
The cloud risks that were excluded due to their impact and
worth will also be taken into consideration in the security
agent risk dataset to make dataset more comprehensive
about cloud security risks. The identified risks shall be used
to check the importance factor of the CCM V.3.01, ISO/IEC
WD 27017 and latest version of the NIST 800-53. Rev.4.
The result of future research shall be very helpful for the
cloud organization before its adoption of security standards
and the risks mitigation through these standards.
References
92