Guidelines on Security and Privacy in Public Cloud Computing | NIST

NIST Special Publication 800-144 - Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.~

[1]  Frederick M. Avolio Best practices in network security , 2000 .

[2]  Karen A. Scarfone,et al.  Guide to Security for Full Virtualization Technologies , 2011 .

[3]  Annabelle Lee,et al.  Guideline for Implementing Cryptography in the Federal Government , 1999 .

[4]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[5]  Karen A. Scarfone,et al.  SP 800-125. Guide to Security for Full Virtualization Technologies , 2011 .

[6]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[7]  T. Wassmer 6 , 1900, EXILE.

[8]  David Safford,et al.  I/O for Virtual Machine Monitors: Security and Performance Issues , 2008, IEEE Security & Privacy.

[9]  Margo McCall,et al.  IEEE Computer Society , 2019, Encyclopedia of Software Engineering.

[10]  Julia H. Allen,et al.  Security for Information Technology Service Contracts , 1998 .

[11]  Marten van Dijk,et al.  On the Impossibility of Cryptography Alone for Privacy-Preserving Cloud Computing , 2010, HotSec.

[12]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .

[13]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[14]  Niels Provos,et al.  Cybercrime 2.0: when the cloud turns dark , 2009, CACM.

[15]  Christopher Millard,et al.  Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services , 2011 .

[16]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[17]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[18]  Dawn M. Cappelli,et al.  Common Sense Guide to Mitigating Insider Threats 4th Edition , 2012 .

[19]  Elaine B. Barker,et al.  SP 800-21 Second edition. Guideline for Implementing Cryptography in the Federal Government , 2005 .

[20]  Daniel E. Geer Complexity Is the Enemy , 2008, IEEE Secur. Priv..

[21]  Karen A. Scarfone,et al.  Guidelines on Cell Phone and PDA Security , 2008 .

[22]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[23]  Jörg Schwenk,et al.  Analysis of Signature Wrapping Attacks and Countermeasures , 2009, 2009 IEEE International Conference on Web Services.

[24]  Adi Shamir Cryptography: State of the science , 2007 .

[25]  R. González,et al.  Information Systems Outsourcing Reasons and Risks: An Empirical Study , 2008 .

[26]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[27]  K. Ghosh,et al.  India , 1988, The Lancet.

[28]  Randall F. Trzeciak,et al.  Common Sense Guide to Prevention and Detection of Insider Threats , 2006 .

[29]  Brent Rowe,et al.  Will Outsourcing IT Security Lead to a Higher Social Level of Security? , 2007, WEIS.

[30]  C.H. Sobey,et al.  Drive-independent data recovery: the current state-of-the-art , 2006, IEEE Transactions on Magnetics.

[31]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[32]  Simson L. Garfinkel,et al.  An Evaluation of Amazon's Grid Computing Services: EC2, S3, and SQS , 2007 .

[33]  Carla Merkle Westphall,et al.  Intrusion Detection for Grid and Cloud Computing , 2010, IT Professional.

[34]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[35]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[36]  Gottfried Vossen,et al.  Datenbanksysteme in Business, Technologie und Web , 2005 .

[37]  J. H. P Eloff,et al.  Proposing a Secure XACML architecture ensuring privacy and trust , 2005 .

[38]  G. DeFriese,et al.  The New York Times , 2020, Publishing for Libraries.

[39]  Joan Hash,et al.  Security Guide for Interconnecting Information Technology Systems: Recommendations of the National Institute of Standards and Technology: NIST Special Publication 800-47 , 2002 .

[40]  Steve Cocheo The Bank Robber, the Quote, and the Final Irony , 1997 .

[41]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[42]  Marianne Swanson,et al.  SP 800-18 Rev. 1. Guide for Developing Security Plans for Federal Information Systems , 2006 .

[43]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[44]  Neal Leavitt,et al.  Is Cloud Computing Really Ready for Prime Time? , 2009, Computer.

[45]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[46]  Craig Valli,et al.  The 2008 Australian study of remnant data contained on 2nd hand hard disks: the saga continues , 2012, ArXiv.

[47]  Chris Rose,et al.  A Break in the Clouds: Towards a Cloud Definition , 2011 .

[48]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[49]  Stefan Frei,et al.  Understanding the web browser threat: examination of vulnerable online web browser populations and the "insecurity iceberg" , 2008 .

[50]  T. S. Raghu,et al.  The Information Assurance Practices of Cloud Computing Vendors , 2010, IT Professional.

[51]  Adams-Baldwin The City of Los Angeles. , 1927, California and western medicine.

[52]  Kelley L. Dempsey,et al.  Information Security Continuous Monitoring for Federal Information Systems and Organizations , 2011 .

[53]  David A. Couillard Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing , 2009 .

[54]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[55]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[56]  Farnam Jahanian,et al.  Empirical Exploitation of Live Virtual Machine Migration , 2007 .

[57]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[58]  Peng Ning,et al.  Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.

[59]  Bernd Grobauer,et al.  Towards incident handling in the cloud: challenges and approaches , 2010, CCSW '10.

[60]  L. Youseff,et al.  Toward a Unified Ontology of Cloud Computing , 2008, 2008 Grid Computing Environments Workshop.

[61]  T. Grance,et al.  SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) , 2010 .

[62]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[63]  Timothy Grance,et al.  Guide to Information Technology Security Services , 2003 .