NIST Invites Comment on Guidance for Who Gets to Access What in the Cloud 

Stakeholders have until May 15 to provide feedback to the National Institute of Standards and Technology on draft guidance for controlling how various users should be allowed to navigate within cloud computing environments.

Security is cited as a clear benefit in the federal government’s policy for improving efficiency by driving agencies to use cloud providers for software-, platform- and infrastructure as a service “to the furthest extent practicable.” 

But the push to adopt cloud services has sometimes led to a misconception that cloud providers become responsible for securing sensitive data from hackers.

Draft NIST Special Publication 800-210 dispenses that notion early on, before delving into specific guidelines and recommendations on the cloud services federal agencies are encouraged to adopt.

“Regardless of the service model, consumers are entitled to be responsible for the security of their cloud-based data and, implicitly, of who has access to it,” the authors write. “For this reason, data is never controlled by cloud providers but rather always stays with the cloud customers.”

Much like the physical world, security in the cloud relies on limiting the number of individuals who have access to various levels of a shared computing architecture.  

Within an IaaS cloud model, which NIST describes as “the cornerstone of all cloud services that offer computing and storage through a network such as the internet,” virtual machines can use common storage and network bandwidth from a single physical computer. Administrators manage them via a monitor called a hypervisor.

“Some cloud systems make it easy to share information among VMs by, for instance, allowing users to create multiple VMs on top of the same hypervisor if multiple VMs are available,” NIST notes. This offers conveniences such as the ability to copy and paste information between virtual machines through a clipboard, but NIST warns it could also allow data leakage. 

This introduces an attack vector, NIST says, noting “isolation between VMs is necessary.”

In addition, VM resource usage and management should be monitored and regulated “so that a malicious VM can be prohibited from exhausting computation resources.”

NIST provides tables to guide administrators on whether a party that has certain capabilities on one level, such as a virtual machine, should be granted access to another level, such as a hypervisor.

“An attacker in a VM with lower access rights may be able to escalate their access privilege to a higher level by compromising the hardware resources allocation within the hypervisor,” the publication reads. “Protecting the hypervisor from unauthorized access is therefore critical to the security of IaaS service.”

NIST notes that establishing access control over the hypervisor is only available in private—not public—cloud environments.

RELATED PODCAST