NIST SP 800-210(Draft) General Access Control Guidance for Cloud Systems

こんにちは、丸山満彦です。

NISTが SP 800-210(Draft) General Access Control Guidance for Cloud Systemsの意見募集をしていますね。。。

IaaS、PaaS、SaaSの3つのクラウド・サービス提供モデルにおけるアクセス制御（AC）の考慮事項を分析し、クラウド・システムにおけるセキュリティ上の課題を理解するための第一歩を提示しているとのことです。

IaaSのACガイダンスはPaaSとSaaSに適用され、IaaSとPaaSのACガイダンスはSaaSにも適用されるものの、各サービスモデルにはそのサービスのアクセス制御要件に関して独自の焦点が必要となる場合もありますね。

 

● NIST ITL

・2020.04.01 SP 800-210(Draft) General Access Control Guidance for Cloud Systems

-----

Announcement

This draft guidance presents an initial step toward understanding security challenges in cloud systems by analyzing the access control (AC) considerations in all three cloud service delivery models—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Essential characteristics that would affect the Cloud's AC design are also summarized, such as broad network access, resource pooling, rapid elasticity, measured service, and data sharing. Various guidance for AC design of IaaS, PaaS, and SaaS are proposed according to their different characteristics. Recommendations for AC design in different cloud systems are also included to facilitate future implementations. Additionally, potential policy rules are summarized for each cloud system.

Abstract

This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Different service delivery models require managing different types of access on offered service components. Such service models can be considered hierarchical, thus the access control guidance of functional components in a lower-level service model are also applicable to the same functional components in a higher-level service model. In general, access control guidance for IaaS is also applicable to PaaS and SaaS, and access control guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.

-----

 

Executive Summary

Cloud systems have been developed over time and conceptualized through the combination of software, hardware components, and virtualization technologies. Characteristics of the cloud, such as resource pooling, rapid elasticity, and pay-as-you-go services, accelerated its wide adoption by industry, government, and academia. Specifically, cloud systems offer application services, data storage, data management, networking, and computing resources management to consumers over a network (the internet in general). Despite the great advancements of cloud systems, concerns have been raised about the offered level of security and privacy. The importance of these concerns becomes more evident when considering the vast number of users who have adopted cloud services.

This document presents cloud access control (AC) characteristics and a set of general access control guidance for cloud service models—IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service)—without considering deployment models (e.g., public cloud, private cloud), which require another layer of access control that depends on the security requirements of the business function or the organization of deployment for which the cloud system is implemented. Different service delivery models need to consider managing different types of access on offered service components. Such considerations can be hierarchical, such as how the access control considerations of functional components in a lower-level service model (e.g., networking and storage layers in the IaaS model) are also applicable in the same functional components in a higher-level service model (e.g., networking and storage in PaaS and SaaS models). In general, access control considerations for IaaS are also applicable to PaaS and SaaS, and access control considerations for IaaS and PaaS are also applicable to SaaS. Therefore, AC guidance for IaaS is applicable to PaaS and SaaS, and AC guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.

 

Table of Contents

Executive Summary

1 Introduction

 1.1 Purpose
 1.2 Scope
 1.3 Audience
 1.4 Document Structure

2 Cloud Access Control Characteristics

3 Access Control Guidance for IaaS

 3.1 Guidance for Network
 3.2 Guidance for Hypervisor
 3.3 Guidance for Virtual Machines
 3.4 Guidance for APIs
 3.5 Recommendations for IaaS Access Control

4 Access Control System for PaaS

 4.1 Guidance for Memory Data
 4.2 Guidance for APIs
 4.3 Recommendations for PaaS Access Control

5 AC System for SaaS

 5.1 Guidance for Data Owner’s Control
 5.2 Guidance for Confidentiality
 5.3 Guidance for Privilege Management
 5.4 Guidance for Multiple Replicas of Data
 5.5 Guidance for Multi-tenancy
 5.6 Guidance for Attribute and Role Management
 5.7 Guidance for Policies
 5.8 Guidance for APIs
 5.9 Recommendations for SaaS Access Control

6 Guidance for Inter and Intra Operation

7 Conclusions

 References

List of Appendices

 Guidance and SP 800-53 Revision 4 AC Control Mapping