IRS Safeguards Technical Assistance Memorandum Protecting Federal Tax Information (FTI) in a Cloud Computing Environment
June 2013 Update
As defined by the National Institute of Standards and Technology, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
As agencies look to reduce costs and improve reliability of business operations, cloud computing offers an alternative to traditional data center models. By utilizing the following cloud service models, agencies may be able to reduce hardware and personnel costs by eliminating redundant operations and consolidating resources.
While cloud computing offers many potential benefits, it is not without risk. The primary security concerns with cloud computing are 1) data is not stored in an agency-managed data center, 2) the agency must rely on the provider’s security controls for protection, 3) data is not transferred securely between the Cloud provider and service consumer, 4) Interfaces to access FTI in a cloud environment including authentication and authorization controls may not be secured per customer requirements, and 5) data from multiple customers are potentially commingled in the cloud environment.
Limiting access to authorized individuals becomes a much greater challenge with the increased availability of data in the cloud, and agencies may have greater difficulties to identify FTI when segregated or commingled in the cloud environment. Agencies that utilize a public cloud model should have increased oversight and governance over the security controls implemented by their cloud provider. Monitoring and addressing security issues that arise with FTI in a cloud environment remain in the purview of the agency.
The Federal Government launched the Federal Risk and Authorization Management Program in June 2012 to account for the unique security requirements surrounding cloud computing. FedRAMP consists of a subset of NIST 800-53 security controls targeted towards cloud provider and customer security requirements.
Based on NIST guidance, FedRAMP control baseline, industry best practices, and the Internal Revenue Service Publication 1075, this memo provides agencies guidance for securing FTI in a cloud environment. These requirements are subject to change, based on updated standards or guidance. Agencies and their cloud providers should also review the requirements of FedRAMP and ensure overall compliance with these guidelines.
Cloud Computing Definition
Five essential characteristics define a cloud computing environment and differentiate it from a traditional computing environment:
- On Demand Self Service – customer can provision computing resources without requiring interaction with the service provider.
- Broad Network Access – computing resources are provided over the network and accessed through various platforms.
- Resource Pooling – computing resources are pooled to serve multiple customers with resources dynamically assigned according to customer need.
- Rapid Elasticity – resources can be rapidly provisioned to scale up or down based on real-time need.
- Measured Service – resource usage can be monitored and controlled using a metering capability.
Service and Deployment Models
An agency’s cloud implementation is a combination of a service model and a deployment model.
Service models are defined by the resource stack provided as part of the cloud solution and the responsibilities which fall between the agency and the cloud provider. The lower down the resource stack, the provider stops providing services, the more security the customer is responsible for implementing and managing. NIST SP 800-145 outlines the possible service models that may be employed during a cloud implementation.
- Software as a Service. The capability provided to the customer is to use the provider’s applications running on the provider’s cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. The SaaS model provides the highest level of abstraction in which the provider is managing the facilities, the interaction between software and hardware and the software itself. The provider is responsible for the highest amount of security and data protection under this model, and the customer will negotiate into the service contract with the provider.
- Platform as a Service. The capability provided to the customer is to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. PaaS adds a layer of integration with application development frameworks, middleware capabilities that allow developers to build applications on the platform with programming languages and tools supported by the stack. The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Security is a shared responsibility with the provider responsible for the underlying platform infrastructure, and the customer is responsible for securing the applications developed on the platform.
- Infrastructure as a Service. The capability provided to the customer is to provision processing, storage, networks, and other fundamental computing resources where the customer is able to deploy and run arbitrary software, which can include operating systems and applications. The computing infrastructure is typically deployed as a virtual environment. The customer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). The customer is responsible for the highest amount of security and data protection under this model.
Organizations have several choices for deploying a cloud computing model, as defined by NIST in SP 800-145:
- Private cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party and may exist on premise or off premise. The private cloud model is typically considered the lowest risk out of the different deployment models because the organization retains the most control over the deployment of their data, and computing resources can be segregated or dedicated to a specific organization or business unit. Ownership, operations and maintenance of the facilities, computer hardware and software may fall under the responsibilities of an organization directly associated with the customer (e.g. state government-wide, agency specific). However, some commercial cloud providers may also offer a private cloud service.
- Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. A community cloud may contain multiple customers that share a similar purpose (e.g. a cloud environment may be established to serve only multiple Federal government customers). The existence of multiple customer data sets may make it difficult to prevent commingling of data. Ownership, operations and maintenance of the facilities, computer hardware and software may fall with either the community or a cloud provider.
- Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. The public cloud model is typically considered the highest risk due to its wide-scale accessibility and limited segregation of services. Customer data is coming led and difficult to identify for auditing purposes. Ownership, operations and maintenance of the facilities, computer hardware and software most often falls with the cloud provider.
- Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). The evaluation of risk at the hybrid cloud model is unique to each deployment.
The following table summarizes the four deployment models, and the relationship of system management, ownership and location for each model.
|System Management||System Owners||System Location|
|Private||Agency or Provider||Agency or Provider||Agency or Provider Site|
|Community||Agency or Provider||Agency or Provider||Agency or Provider Site|
|Hybrid||Agency and Provider||Agency and Provider||Agency and Provider Site|
The risk to data varies in each of the four deployment models, with of private cloud typically being the lowest risk model, and public cloud being the highest risk model. Depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided those compensating controls must provide the same level of protection as mandatory controls for safeguarding FTI.
The service and deployment model used in a cloud computing environment will determine the responsibility for security controls implementation between the agency and the cloud provider for the protection of FTI that is stored or processed cloud environment. The delineation of security control responsibility is heavily dependent on the service and deployment models of the solution the agency is adopting. For example, if the solution is a SaaS e-mail solution, the agency may be responsible for a small subset of security control responsibilities. If the agency is deploying their own applications to a PaaS or IaaS solution, they will have greater responsibility for securing the application layer, and potentially the platform and middleware; and may have responsibilities in almost all of the Publication 1075 (NIST 800-53) control families with the exception of possibly the personnel and physical security requirements. Figure 1 is a notional illustration of the differences in scope between the cloud consumer (agency) and cloud provider for each of the service models discussed above.