expand for answer

NIST 500-299

NIST Cloud Computing Security Reference Architecture

The purpose of this document is to define a NIST Cloud Computing Security Reference Architecture (NCC-SRA)--a framework that:
1. Identifies a core set of Security Components that can be implemented in a Cloud Ecosystem to secure the environment, the operations, and the data migrated to the cloud;
2. Provides, for each Cloud Actor, the core set of Security Components that fall under their responsibilities depending on the deployment and service models;
3. Defines a security-centric formal architectural model that adds a security layer to the current NIST SP 500-292, "NIST Cloud Computing Reference Architecture"; and
4. Provides several approaches for analyzing the collected and aggregated data.

Similar items:
The structure or ordering of components in a computational or other system. The classes and the interrelation of the classes define the architecture of a particular application. At another level, the architecture of a system is determined by the arrangement of the hardware and software components. The terms “logical architecture” and “physical architecture” are often used to emphasize this distinction.
<p>NIST 800-146, titled Cloud Computing Synopsis and Recommendations, reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, and provides an overview of major classes of cloud technology</p>
The collection of standards, specifications, and guidelines, architecture definitions, software infrastructures, reusable components, application programming interfaces (APIs), methodology, runtime environment definitions, reference implementations, and methodology, that establishes an environment on which a system can be built. The COE is the vehicle that assures interoperability through a reference implementation that provides identical implementation of common functions. It is important to realize that the COE is both a standard and an actual product.
(1) Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes the following: functionality that performs correctly, sufficient protection against unintentional errors (by users or software), and sufficient resistance to malicious penetration or bypass. (2) A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. (3) A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Note: Assurance refers to a basis for believing that the objective and approach of a security mechanism or service will be achieved. Assurance is generally based on factors such as analysis involving theory, testing, software engineering, validation, and verification. Lifecycle assurance requirements provide a framework for secure system design, implementation, and maintenance. The level of assurance that a deMeasure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. The degree of confidence that security needs are satisfied. Assurance must be continually maintained, updated, and reverified.
<p>A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA’s COBIT, and PCI-DSS</p><p>The CSA CCM (Cloud Controls Matrix) provides fundamental security principles that guide cloud vendors and assist prospective cloud customers in assessing the overall security risk of a cloud provider.<br></p>

There are no comments yet.

Authentication required

You must log in to post a comment.

Log in