NIST Special Publication 800-210: "General Access Control Guidance for Cloud Systems"
Download links
Announcement
NIST has published Special Publication (SP) 800-210, General Access Control Guidance for Cloud Systems, which presents an initial step toward understanding security challenges in cloud systems by analyzing the access control (AC) considerations in all three cloud service delivery models-Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Essential characteristics that would affect the Cloud's AC design are also summarized, such as broad network access, resource pooling, rapid elasticity, measured service, and data sharing. Various guidance for AC design of IaaS, PaaS, and SaaS are proposed according to their different characteristics. Recommendations for AC design in different cloud systems are also included to facilitate future implementations. Additionally, potential policy rules are summarized for each cloud system
Abstract
This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Different service delivery models require managing different types of access on offered service components. Such service models can be considered hierarchical, thus the access control guidance of functional components in a lower-level service model are also applicable to the same functional components in a higher-level service model. In general, access control guidance for IaaS is also applicable to PaaS and SaaS, and access control guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.
Keywords
access control; access control mechanism; Cloud; cloud systems; policy; authorization ABAC; RBAC.
Executive Summary
Cloud systems have been developed over time and conceptualized through a combination of software, hardware components, and virtualization technologies. Characteristics of the cloud, such as resource pooling, rapid elasticity, and pay-as-you-go services, accelerated its wide adoption by industry, government, and academia. Specifically, cloud systems offer application services, data storage, data management, networking, and computing resources management to consumers over a network (the internet in general). Despite the great advancements of cloud systems, concerns have been raised about the offered level of security and privacy. The importance of these concerns becomes more evident when considering the increasing number of users who have adopted cloud services.
This document presents cloud access control (AC) characteristics and a set of general access control guidance for cloud service models-IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The main focus is on technical aspects of access control without considering deployment models (e.g., public, private, hybrid clouds etc.), as well as trust and risk management issues, which require different layers of discussions that depend on the security requirements of the business function or the organization of deployment for which the cloud system is implemented. Different service delivery models need to consider managing different types of access on offered service components. Such considerations can be hierarchical, such as how the access control considerations of functional components in a lower-level service model (e.g., networking and storage layers in the IaaS model) are also applicable to the same functional components in a higher-level service model (e.g., networking and storage in PaaS and SaaS models). In general, access control considerations for IaaS are also applicable to PaaS and SaaS, and access control considerations for IaaS and PaaS are also applicable to SaaS. Therefore, AC guidance for IaaS is applicable to PaaS and SaaS, and AC guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.
Table of Contents
Executive Summary
1 - Introduction
2 - Cloud Access Control Characteristics
3 - Access Control Guidance for IaaS
4 - Access Control Guidance for PaaS
5 - Access Control Guidance for SaaS
6 - Access Control Guidance for Inter- and Intra- Operation
7 - Conclusions
References
Appendix - Guidance and SP 800-53 Revision 4 Access Control (AC) Family Mapping
Document background history
- Draft published: April 1st, 2020
- Comments Due: by May 15, 2020
- Final released published: July 31, 2020
________________________________________________________________
NIST Special Publication 800-210: "General Access Control Guidance for Cloud Systems"
Liens de téléchargement
Annonce
NIST has published Special
Publication (SP) 800-210, General Access Control Guidance for Cloud
Systems, which presents an initial step toward understanding security
challenges in cloud systems by analyzing the access control (AC)
considerations in all three cloud service delivery models-Infrastructure
as a Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS). Essential characteristics that would affect the Cloud's
AC design are also summarized, such as broad network access, resource
pooling, rapid elasticity, measured service, and data sharing. Various
guidance for AC design of IaaS, PaaS, and SaaS are proposed according to
their different characteristics. Recommendations for AC design in
different cloud systems are also included to facilitate future
implementations. Additionally, potential policy rules are summarized for
each cloud system
Résumé
This document presents cloud
access control characteristics and a set of general access control
guidance for cloud service models: IaaS (Infrastructure as a Service),
PaaS (Platform as a Service), and SaaS (Software as a Service).
Different service delivery models require managing different types of
access on offered service components. Such service models can be
considered hierarchical, thus the access control guidance of functional
components in a lower-level service model are also applicable to the
same functional components in a higher-level service model. In general,
access control guidance for IaaS is also applicable to PaaS and SaaS,
and access control guidance for IaaS and PaaS is also applicable to
SaaS. However, each service model has its own focus with regard to
access control requirements for its service.
Mots clés
access control; access control mechanism; Cloud; cloud systems; policy; authorization ABAC; RBAC.
Synthèse
Cloud systems have been
developed over time and conceptualized through a combination of
software, hardware components, and virtualization technologies.
Characteristics of the cloud, such as resource pooling, rapid
elasticity, and pay-as-you-go services, accelerated its wide adoption by
industry, government, and academia. Specifically, cloud systems offer
application services, data storage, data management, networking, and
computing resources management to consumers over a network (the internet
in general). Despite the great advancements of cloud systems, concerns
have been raised about the offered level of security and privacy. The
importance of these concerns becomes more evident when considering the
increasing number of users who have adopted cloud services.
This document presents cloud
access control (AC) characteristics and a set of general access control
guidance for cloud service models-IaaS (Infrastructure as a Service),
PaaS (Platform as a Service), and SaaS (Software as a Service). The main
focus is on technical aspects of access control without considering
deployment models (e.g., public, private, hybrid clouds etc.), as well
as trust and risk management issues, which require different layers of
discussions that depend on the security requirements of the business
function or the organization of deployment for which the cloud system is
implemented. Different service delivery models need to consider
managing different types of access on offered service components. Such
considerations can be hierarchical, such as how the access control
considerations of functional components in a lower-level service model
(e.g., networking and storage layers in the IaaS model) are also
applicable to the same functional components in a higher-level service
model (e.g., networking and storage in PaaS and SaaS models). In
general, access control considerations for IaaS are also applicable to
PaaS and SaaS, and access control considerations for IaaS and PaaS are
also applicable to SaaS. Therefore, AC guidance for IaaS is applicable
to PaaS and SaaS, and AC guidance for IaaS and PaaS is also applicable
to SaaS. However, each service model has its own focus with regard to
access control requirements for its service.
Table des matières
Executive Summary
1 - Introduction
2 - Cloud Access Control Characteristics
3 - Access Control Guidance for IaaS
4 - Access Control Guidance for PaaS
5 - Access Control Guidance for SaaS
6 - Access Control Guidance for Inter- and Intra- Operation
7 - Conclusions
References
Appendix - Guidance and SP 800-53 Revision 4 Access Control (AC) Family Mapping
Historique du document
- Date de publication du Draft : 1er avril 2020
- Date limite d'envoi des comentaires : 15 mai 2020
- Date de publication de la version finale : 31 juillet 2020
________________________________
#NIST________________________________
------------------------------
Olivier Caleff - CSA French Chapter - Chapter Leader -
[email protected] -
https://CloudSecurityAlliance.fr------------------------------