In an effort to increase government adoption of cloud computing, America’s CIO Vivek Kundra commissioned the National Institute of Standards and Technology (NIST) to create the Guidelines on Security and Privacy in Public Cloud Computing. If the guidelines provide even a working definition of cloud computing and how to secure it, it would appear to be a success. From the report:
Cloud computing can and does mean different things to different people. The common
characteristics most share are on-demand scalability of highly available and reliable pooled
computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
But the standards aren’t just for the government’s benefit. If you’re company’s considering cloud computing, take some notes on how to secure your own data in someone else’s data center.
Planning Makes Perfect (Well, Almost)
Anyone can make a list of the difficulties to watch out for after they’ve occurred. Planning cloud migration before any applications are deployed is key to the smoothest of sailing in a still-emerging technology. The NIST cautions organizations to pay attention to several details about the cloud provider during the planning stages of cloud computing, not after.
- Cloud provider’s architecture
- Support for identity and authentication
- Controls for server security and data security
The NIST’s report includes a comprehensive list of security and privacy concerns that apply to cloud computing. Among the concerns every organization considering cloud computing will face are trust, architecture, software isolation, data protection, availability, incident response and three universal security concerns:
- Governance: Organizational controls over employees is amplified by cloud computing. One of the many possibilities concerning IT departments from Europe to the United States is that parts of their enterprise are deploying cloud computing without their acknowledgment. Companies need to be sure that policies and standards for app development includes cloud computing as well. The NIST report recommends “a risk management program…that is flexible enough to deal with the continuously evolving and shifting risk landscape.”
- Compliance: Since many cloud service providers don’t provide the customers with detailed information on where their data is stored or what security guards are in place, compliance can be tricky. At this point in the game, however, the organization retains liability for the data stored by a cloud service provider.
- Identity and Access Management: Organizations may run into the problem of identification and authentication systems not translating into the cloud accompanied by hesitation to employ two separate authentication systems. The NIST’s report recommends identity federation, or else single sign-on or cross-domain single sign-on.
The 60-page report covers a plethora of firsthand concerns organizations are grappling with in the migration to the cloud. If security has been a speed bump in your migration to the cloud, take advantage of the NIST’s detailed outline of things to plan for as you move forward.
What do you think of the NIST’s guidelines? Is it a major step forward in the standardization of such a hard-to-lasso technology?