Cloud Computing – Dynamic Security Certifications

One of the major differentiating factors of cloud computing over traditional IT computing services is the hyper-dynamic nature of cloud computing. New or modified services can be made available instantaneously to thousands or tens of thousands of desktops. No more IT deployment hassles. Minor enhancements can be made available to the masses on a weekly basis. No more waiting for the “next release” to get the latest features. Completely new technologies can be made available at anytime. This capability enables users to have access to the “latest and greatest” and can improve their productivity immediately.

The dynamic nature of cloud computing may prove to be a boon to users, but this paradigm runs counter to the FISMA/NIST system security certification processes. In a July 30, 2009 notice, the General Services Administration (GSA) announced that all cloud computing services must go through a formal approval process following NIST Special Publication 800-37. The NIST process assumes (pretty much) that you have a static system you want to evaluate against a set of acceptance criteria. Without further clarification or amendments to SP 800-37, certifying cloud services may prove to be either difficult or a waste of time.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Managed Services Delivery: From Packets to Applications
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Today, many systems are certified under SP 800-37 by taking a snapshot of the system – freezing functionality and capabilities. This freeze ensures that the evaluation is not trying to hit a moving target. Once deployed, certified systems should only be modified under certain circumstances lest the certification become invalidated. With the hyper-dynamic nature of cloud computing, this certification process will not work. The cloud capabilities will be constantly changing and invalidating the static system certification. Given that system evaluations under SP 800-37 can take months, it is impractical to think that every modification to cloud services can be assessed under this paradigm.

Another approach that can be taken is to “certify” the cloud providers themselves. That is, anoint qualified cloud providers as “trustworthy”. This would enable these cloud providers to produce updates to their services without constant scrutiny. This approach makes more sense rather than certifying single instances of each offering. This paradigm is analogous to ISO 9001 certifications where an entity’s processes are evaluated once every few years, but during that time, the entity can be trusted to produce quality products.

Today, no such standard exists that clearly evaluates cloud security or quality processes. Perhaps it is time to start developing one.

Wesley Higaki

About Wesley Higaki

As the director of the Software Assurance, Wes Higaki coordinated the efforts by Symantec Corporation to certify its products to provide customers additional assurance through independent third-party evaluations. He oversaw all of Symantec's Common Criteria and FIPS-140 certifications. He also manages ICSA and Checkmark testing. Higaki has led a working group through the National Cyber Security Partnership to develop plans to improve the Common Criteria by working with industry and Government. He has been instrumental in assembling the Common Criteria Users’ Forums – an effort to bring Government, customers (commercial and Government), vendors and evaluation labs together to improve the Common Criteria. Higaki has over 25 years of technical and managerial experience in the software industry. He has been with Symantec since the December 2000 acquisition of Axent Technologies where he was an engineering director. Prior to Axent, Wes worked for over 20 years in R&D at Hewlett-Packard Company including 7 years at Hewlett-Packard Laboratories. Higaki received a Bachelor of Science degree in mathematics from the University of California, Davis and a Master of Science degree in computer science from the University of Santa Clara.

, ,

No comments yet.

Leave a Reply