See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/326414873

Analysis of NIST SP 800-53 Rev.3 Controls Effectiveness for Cloud Computing

Article · January 2016

CITATIONS READS
0 227

2 authors:

Haroon Rasheed Muhammad Imran Tariq

Bahria University Karachi Campus Higher Education Department, Punjab, Lahore
58 PUBLICATIONS   220 CITATIONS    59 PUBLICATIONS   309 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Hybrid Cloud Security View project

Food grain analyzer using machine vision View project

All content following this page was uploaded by Muhammad Imran Tariq on 22 August 2019.

The user has requested enhancement of the downloaded file.

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303315109

Analysis of NIST SP 800-53 Rev.3 Controls’ Effectiviness for Cloud Computing

Research · May 2016

CITATIONS READS

0 260

1 author:

Muhammad Imran Tariq

Higher Education Department, Punjab, Lahore
21 PUBLICATIONS   43 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Hybrid Cloud Security View project

All content following this page was uploaded by Muhammad Imran Tariq on 18 May 2016.

The user has requested enhancement of the downloaded file.

1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016

Analysis of NIST SP 800-53 Rev.3 Controls

Effectiveness for Cloud Computing
Muhammad Imran Tariq1,*, Shahzadi Tayyaba2, Muhammad Waseem Ashraf3, Haroon Rasheed4, Fariha Khan4
1
The Superior University, Lahore, Pakistan
2
The University of Lahore, Pakistan
3
GC University Lahore, Pakistan
4
Bahria University Karachi campus, Pakistan
Email*: imrantariqbutt@yahoo.com

Abstract— Cloud computing has brought new innovations
in the paradigm of information technology (IT) industry
through virtualization and offering low price services on pay-
as-per-use basis. Since the development of cloud computing,
several issues like security, privacy, cost, load balancing, power
consumption, scheduling algorithms are still under research. A
threat agent is an attacker, intruder and/or employee that
takes the benefits of the vulnerabilities and risks in the system.
There are different information security standards,
governance and security frameworks, and guides to protect the
organizations to protect from threat agents. In this research
cloud vulnerabilities and risks have been identified that can be
exploited by the threat agent and mapped into renowned
information security standard NIST SP 800-53 Rev.3 to check
whether the standard provides claim security to cloud users.
Keywords—Threat Agent; Information Security; Cloud
Computing; NIST SP 800-53 Rev.3component.
I. INTRODUCTION
Cloud computing has four deployment models like
private cloud, community cloud, public cloud and hybrid
cloud. In private cloud, the organization builds its own
infrastructure and manages the system and services as well.
The community cloud is managed by a group of
organizations/entities with common tasks while in public
cloud, the organization render different services of cloud
services provider (CSP) as per its requirements, system and
services are provided to general public and use it as long as
the organization requires [1]. The hybrid cloud is a
combination of private cloud and public cloud. It has
characteristics of all deployment models. Private and public
clouds are connected with each other through gateways, share
data, applications and resources. There is no location binding
on hybrid cloud, it may located at private organization
premises or Cloud Service Provider premises [2].
Cloud computing has three service models like software
as a service (SaaS) wherein the cloud customer render the
cloud applications and its maintenance services from CSP.
Salesforce, dropbox and google drive are the examples of
SaaS. The infrastructure as service (IaaS) has provided
hardware, storage and infrastructure related services.
Amazon EC2 and Rackspace are examples of IaaS. Platform
as service (PaaS) provides environment, tools, libraries to
applications development framework, machines and
operating system services to its customers. Cloud computing
has several advantages over the traditional computing but it
has several constraints that are roadblock in the complete
deployment of cloud computing. Security, privacy, cost,
energy balancing, load balancing, power consumption,
scheduling algorithms are some of the major constraints that
organizations are facing in the deployment of cloud
computing [3, 4].
In computer security, threat always exploits the
vulnerability of the system to breach security and becomes
harmful [5]. A threat agent is an entity that has capability of
carrying out attack on the cloud. The security and privacy
issues are exploited by the threat agent. Threat agent either
exploits internal (malicious insider) or external
vulnerabilities. It acts as an anonymous attacker, malicious
service agent, trusted attacker and malicious insider [6, 7].
The vulnerability is a major risk factor. There are
number of chances for an asset to be unable to resist the
action of a threat agent. The cloud organizations deployed
different information security standards to secure their
organization. Standard organizations have recently
developed information security standards particularly for the
cloud computing but still cloud organizations are using
traditional information security standards for their
organizational security.
The main objective of this research is to analyze whether
the renowned information security standard NIST SP 800-53
Rev.3 provide security against the threat agent [8]. Section II
of this research paper describes about the NIST SP 800-53
Rev.3 and Section III describes the identified cloud risks that
are mapped to the NIST 800-53 Rev. 3 to know the
importance of the standards of cloud computing. In section
IV of this paper, we critically analyze the standard with
detail and information. Section V presents the justification
and validation of the work we have done in previous sections
and in Section VI we have proposed recommendations to
meet the standards of cloud computing. The last section of
the research paper is conclusion and future work for the
presented research work.

88
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016

II. NIST SP 800-53 REV. 3 TABLE I. LIST OF IDENTIFIED RISKS

The NIST SP 800-53 Rev.3 standard provides a security Sr. Name of Risk Sr. Name of Risk
control directory to be applied in Federal Information System No. No.
31. Private information
(FIS) [8]. This standard has approximately all types of 1. Loss of Governance becomes public without
controls to meet the requirements of information security and customer notice
risk management. The implementation of this guide will help 2. Lock-in 32. Subpoena and e-discovery
the organization to create a secure information security 3. Improper Backup
33. The Cloud provider
system and effective risk management system by: suspends service
34. The Cloud provider
4. Network Failure
terminates service
35. Unavailability of
• Facilitating organizations to select appropriate 5.
Improper Hardware
operational information
governance and failure
security controls from standard for security systems and
Third parties 36.
• Defining the minimum level of security controls 6. communication and
Data jurisdiction is not
required for information management systems controlled by customer
service change risks
Unsafe working 37.
• Foundation for creating the evaluation methods and 7.
environment
Restricted support access
actions to decide the effectiveness of the security Distributed Denial of 38.
8. Business continuity
controls in standard Service
9. Regularity Requirements 39. Isolation failure
• Improving communication among organizations to Service provider human 40. Over-usage of shared
discuss risk management 10.
error resources
41. Non compliance with
11. License risks client instructions relating
to data processing
The standard covers a wide range of audience like Loss of customer account 42. Data access and associated
information security professionals, project managers, 12.
and configuration data logs
information security system product developers, auditors, 43. Ambiguous security
13. Delayed response
inspector general, information security service providers, responsibilities
information security administrators and information security 14.
Insecure or ineffective 44. Malicious code imbedded
managers. deletion of customer data in software
45. Insecure equipment
15. Data interception
disposal
III. CLOUD RISK IDENTIFICATION 16. Theft of Data
46. Improper security update
policy
This section describes the identification of risks and 17. Theft of Computer 47. Lack of technical resources
related work to identify the cloud risks. Many cloud risks Loss of data ownership 48.
have been identified and the use of precise approach i.e. risks 18. Insecure data storage
within network
assessment used by other experts in the field of cloud has 19.
Loss of control over 49. Insufficient cryptographic
been adopted. By studying this approach, various cloud paper based information management
related risks with different levels have been observed. It is a Vulnerabilities in Backup 50. Undependable service
20.
System engine
well-organized process to identify vis-à-vis customer
21. Loss of encryption keys 51. Malicious employees
concerns in the cloud. The risk identified by the various 52. Economical denial of
government agencies, cloud security and other risks 22. Privilege escalation
service
identified by individual experts were also taken into account Social engineering 53. Cloud service provider
23.
in the process of risk identification [9]. The risks are also attacks acquisition
classified according to their severity and the taxable value. 54. Compliance to
24. Wireless network breach
Cloud risks are given in Table I. Although Table I is International Standards
55. Supply Chain Management
comprehensive and covers nearly all public risks searched 25. Unauthorized access
Failure
during the investigation [10]. 56. Non-compliance with legal
26. Malicious insider
requirements
The goal of this section is to know how much cloud 57. Noncompliance with data
service provider offers security to its customers by the Third party personal
27. protection law
implementation of security standards from threat agents. The breaches
requirements
ultimate goal is to identify and mitigate risks exploited by the 28.
Improper highlight 58.
Loss of customer privacy
threat agents in the cloud. Numerous risks challenged by the Security breaches
threat agents have been identified during the investigation Poor implementation of 59. Loss of intellectual
29.
security plan property
process, but few ones are omitted from the list given in Table Interfacing with third
1 because they are not related to the cloud. For example, the 30.
parties has vulnerabilities
service providers do not provide sufficient resources to cloud
customer and it is one of the risks that must be managed.

89
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016

Design and configuration of the network is another SC family is 25% and CM family is 22% effective for cloud
condition of risks that must be managed. The cloud system is related risks mitigation. This quantitative analysis also shows
still well managed and established by the cloud service that the cloud organization have to mainly focus on AC
provider to confirm that all network goals are met in terms of family, SA family, SC family and CM family for
security, confidentiality and privacy. Moreover, some legal implementing NIST SP 800-53 Rev.3 for Information
and technical vulnerabilities were also not taken into Security. Fig. 2 shows the effectiveness of NIST SP 800-53
consideration because they are not value-able. Risks of Rev.3 processes for cloud computing.
traditional networks like no DHCP server settings and active
directory failure has also been excluded [11].
The risks that are not described in this section are not
related to cloud but this does not mean that these risks are
not worthwhile. Cloud organizations must take necessary
action to resolve these risks.

IV. ANALYSIS OF NIST SP 800-53 REV.3 STANDARD

The analysis focused on the implementation of the NIST SP
800-53 Rev.3 standard is shown in Fig. 1. The results clearly
show that the implementation of the NIST SP 800-53 Rev.3
does not provide complete assurance regarding broad
mitigation of cloud risks. Moreover, the NIST SP 800-53
Rev.4 draft version has been developed for cloud computing.
Furthermore, NIST does not provide a compliance
mechanism like PCI DSS and ISO 27001. The identified
Cloud risks were also mapped to possible NIST SP 800-53
Rev. 3 processes to know that which process is effective to
mitigate the risks and their impact on the process. Fig. 1
demonstrates the number of times a process could be used to
mitigate the risk. Fig. 2. Effectiveness of NIST SP 800-53 Rev.3 processes for
cloud computing
Fig. 3 shows the number of identified cloud risks
mitigated by the implementation of the NIST SP 800-53
Rev.3. It is clearly shown that 32 risks out of 59 cloud
identified risks are completely mitigated, 15 out of 59 cloud
identified risks are partially mitigated and 12 cloud identified
risks are not mitigated. It is easy for cloud customers to
understand from these quantitative figures that NIST SP 800-
53 Rev.3 is able to mitigate majority of the cloud risks. Some
additional measures can be taken to completely mitigate
those risks. The risks that are not mitigated by the NIST SP
800-53 Rev.3 standard require additional controls in
standard.

Fig. 1. Processes most likely to be effected by risk relating to

implementation of NIST SP 800-53 Rev.3
From the evaluation of risks and processes, it is revealed
that access control (AC) family, communications protection
(SC) family, service acquisition (SA) family and physical
and environmental security (PE) family are the most effected
processes of an organization due to cloud computing
implementation. However, for cloud computing, media
protection (MP) family, security assessment and
authorization (CA) family and incident response (IR) family
are also very important.
Furthermore, based on quantities analysis of Fig. 1, the Fig. 3. Number of risks mitigated through NIST SP 800-53
NIST SP 800-53 Rev.3, AC family and SA family are 27% Rev.3
effective for the mitigation of cloud risks and subsequently

90
1st National Conference on Emerging Trends and Innovations in Computing & Technology
Fig. 4 shows the number of identified cloud risks mitigated
by the implementation of NIST SP 800-53 Rev.3 standard in
percentage.
Fig. 4. Number of risks mitigated through NIST SP 800-53
Rev.3 in percentage
V. JUSTIFICATION
The NIST SP 800-53 Rev.3 publication was developed
with the support of Federal Information Security
Management Act of 2002 (FISMA) [12]. The publication has
a number of controls which address the issues related to
security, privacy, hostile cyber-attacks, natural disasters,
structural failure and human errors of the organization.
Although the results of the analysis is the negative one
but it is worthwhile to mention here that if the CSP
implement NIST SP 800-53 Rev.3 program then many of the
identified cloud risks are mitigated or partially mitigated. If
NIST SP 800-53 Rev.3 is compared with ISO/IEC 27001
standards then NIST does not completely mitigate risks as
ISO does. During analysis, it is revealed that there are two
main positive points. First, the NIST has a number of
processes to manage organizational security, asset security
and protection, physical and environmental protection, risk
management and especially program management. Second,
the description of each control is very detailed especially
when compared to ISO 27002. If the standard has detailed
controls for cloud computing, then it is very convenient for
the cloud customers to know that how the risks are being
mitigated and thus does not need to further find out
additional CSP’s security details. The detailed controls have
one more advantage that it provides more transparency on
which the CSP control is implemented since there is no room
for interpretation. However, a risk base approach is required
to ensure that no other risk is overseen. Furthermore, during
implementation of the standard, the cost analysis is
mandatory to make certain that controls are cost effective.
The NIST SP 800-53 Rev.4 has recently been published and
it has a number of controls relates to cloud computing. The
inclusion of cloud related controls will directly address
cloud related issues [13]. In conclusion, the analysis
revealed that standard NIST SP 800-53 Rev.3 has a number
15-26 March, 2016
of controls and recommendations which can be used to
mitigate cloud specific risks. However, due to shortcomings,
the standard is not providing the desired level of security
that a cloud customer desires in a standard to manage its
cloud.
VI. RECOMMENDATION
The information security standards and frameworks are
investigated in detail and the authors have presented the
following recommendations to be addressed during the
development of standards to mitigate cloud specific risks in a
standard way:
 The cloud is another name of IT outsourcing,
therefore, including more controls relates to
outsourcing and suppliers to bind them to make sure
the compliance of the instructions passed by the cloud
customers as per agreement will be useful.
 The standard must include key performance
indicators which are publicly available to measure the
security level of CSP.
 The CSPs must conduct audit of its service level
agreement (SLA) with cloud customers as per agreed
schedule through third party IT audit organizations
and its report must be sent to cloud customer.
 The cloud supplier’s compliance report with cloud
customer terms and conditions should also be the part
of standard.
 The CSP must provide demanded knowledge/
information to its customer whenever required based
on the agreed terms and conditions.
 The CSP and cloud suppliers must make sure
interoperability and portability between different
CSPs in order to avoid vender lock-in or CSP lock-in.
 Risk base approach for continuous improvement
should be the part of standard as offered by ISO
27001.
VII. CONCLUSION AND FUTURE WORK
Cloud computing is the delivery of computing services
required by the client computing on the internet. It allows
appropriate access to the demand for shared network
resources, such as storage and server. The variance among
traditional IT and cloud is the equipment at the supplier's
premises. By opting cloud services, the organization does not
need IT department, but skilled incumbents are required to
manage it. Threat agents are big security risks. It exploits the
vulnerabilities in the system and attack on the system.
Although the cloud computing is very new technology but
still it has vulnerabilities.
There are many organizations that are presently working
in the security of the cloud computing like cloud security
alliance (CSA), ISO / IEC 27001, ISACA, NIST, KPMG and
ENISA. The SANS organization has also published various
guides for the cloud security. In addition to this, there are
91
1st National Conference on Emerging Trends and Innovations in Computing & Technology 15-26 March, 2016

many other organizations that are working on the cloud
security issues. While studying the approach, a number of
risks have been identified and took into consideration. But
only the important have been included in the risk dataset to
check the level of international security standard i.e. NIST
SP 800-53 Rev. 3.
The detailed analysis of each process and control of the
standard has been carried out and it was revealed that NIST
SP 800-53. Rev. 3 had no cloud specific controls to mitigate
all risks that were identified and given in the presented work.
Despite of this, it is widely used for the implementation of
information security within an organization. NIST SP 800-53
Rev. 4 has a number of cloud relevant controls that may be
useful to implement the information security. ISO / IEC WD
27017 and ISO / IEC 27018 standards are relevant to the
management of information security, security controls for the
use of cloud computing and data protection controls for the
public cloud computer respectively.
Future work of the research is a continuation of this
research. An intensive analysis of the existing security
agents will be carried out to dig out the cloud security areas
that can be compromised and its improvement is required in
order to implement better security in cloud organization.
The cloud risks that were excluded due to their impact and
worth will also be taken into consideration in the security
agent risk dataset to make dataset more comprehensive
about cloud security risks. The identified risks shall be used
to check the importance factor of the CCM V.3.01, ISO/IEC
WD 27017 and latest version of the NIST 800-53. Rev.4.
The result of future research shall be very helpful for the
cloud organization before its adoption of security standards
and the risks mitigation through these standards.
Controls for Federal Information Systems - NIST IT
Security', 2011. [Online]. Available:
http://www.nist.org/nist_plugins/content/content.php?c
ontent.18. [Accessed: 01- Oct- 2015].
[9] Security guidance for critical areas of focus in cloud
computing, Cloud Security Alliance, 2011.
[10] M. Tariq, Providing Assurance to Cloud Computing
through ISO 27001 Certification: How Much Cloud is
Secured After Implementing Information Security
Standards. CreateSpace, 2015, p. 134.
[11] A. Aich, A. Sen and S. Dash, 'A Survey on Cloud
Environment Security Risk and Remedy', 2015
International Conference on Computational Intelligence
and Networks, 2015.
[12] FISMA, 'NIST Computer Security Division - FISMA
Implementation Project', 2014. [Online]. Available:
http://csrc.nist.gov/groups/SMA/fisma/index.html.
[Accessed: 01- Oct- 2015].
[13] NIST, NIST Special Publication 800-53 (Rev. 4), 2013.
[Online]. Available: https://web.nvd.nist.gov/view/800-
53/Rev4/home. [Accessed: 01- Oct- 2015].

References

[1] D. Feng, M. Zhang, Y. Zhang and Z. XU, 'Study on

Cloud Computing Security', Journal of Software, vol.
22, no. 1, pp. 71-83, 2011.
[2] J. Lee, 'A View Of Cloud Computing', International
Journal of Networked and Distributed Computing, vol.
1, no. 1, p. 2, 2013.
[3] B. Kandukuri, R. V. and A. Rakshit, 'Cloud Security
Issues', 2009 IEEE International Conference on
Services Computing, 2009.
[4] F. Sabahi, 'Cloud computing security threats and
responses', 2011 IEEE 3rd International Conference on
Communication Software and Networks, 2011.
[5] B. Grobauer, T. Walloschek and E. Stocker,
'Understanding Cloud Computing Vulnerabilities',
IEEE Security & Privacy Magazine, vol. 9, no. 2, pp.
50-57, 2011.
[6] A. Honarvar, 'Developing an Elastic Cloud Computing
Application through Multi-Agent Systems',
International Journal of Cloud Applications and
Computing, vol. 3, no. 1, pp. 58-64, 2013.
[7] K. Dahbur, B. Mohammad and A. Tarakji, 'A survey of
risks, threats and vulnerabilities in cloud computing',
Proceedings of the 2011 International Conference on
Intelligent Semantic Web-Services and Applications -
ISWSA '11, 2011.
[8] NIST, 'Content / Special Publications - SP 800 series /
NIST SP 800-53 rev 3 - Recommended Security

92

View publication stats