The father of the Internet had some tough talk for one of his progeny. In a roundtable after his Interop keynote, Vint Cerf – instrumental in DARPA’s funding and guidance of the early TCP/IP protocol and currently a chief evangelist at Google – said cloud providers need to not only become better about giving companies and users access to their cloud data, but also in easily porting it from one platform to another.

The impetus to open up, he said, “always comes from users who say, ‘I will not use this unless I can get it in an open way.” There is hope, he said, drawing on the history of e-mail which slowly standardized while continuing to evolve over the years, but cloud providers need to be more creative about the opportunities that opening up could provide not just to users, but to the platforms themselves.

“Standards allow any cloud to view another cloud as if it were comparable,” he said. When that happens, clouds could specialize in what they’re best at: A great geolocating cloud, for example, could be given access to a real-estate database cloud only long enough to clean up and map the data. Getting to that point, however, is no small feat.

Cerf said that access controls and security rules need to be just as portable as the underlying information. “It’s not just about moving data,” he said.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

Cloud computing can and does mean different things to different people. The common
characteristics most share are on-demand scalability of highly available and reliable pooled
computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

But the standards aren’t just for the government’s benefit. If you’re company’s considering cloud computing, take some notes on how to secure your own data in someone else’s data center.

Planning Makes Perfect (Well, Almost)

Anyone can make a list of the difficulties to watch out for after they’ve occurred. Planning cloud migration before any applications are deployed is key to the smoothest of sailing in a still-emerging technology. The NIST cautions organizations to pay attention to several details about the cloud provider during the planning stages of cloud computing, not after.

• Cloud provider’s architecture
• Support for identity and authentication
• Controls for server security and data security

Security Concerns

The NIST’s report includes a comprehensive list of security and privacy concerns that apply to cloud computing. Among the concerns every organization considering cloud computing will face are trust, architecture, software isolation, data protection, availability, incident response and three universal security concerns:

• Governance: Organizational controls over employees is amplified by cloud computing. One of the many possibilities concerning IT departments from Europe to the United States is that parts of their enterprise are deploying cloud computing without their acknowledgment. Companies need to be sure that policies and standards for app development includes cloud computing as well. The NIST report recommends “a risk management program…that is flexible enough to deal with the continuously evolving and shifting risk landscape.”
• Compliance: Since many cloud service providers don’t provide the customers with detailed information on where their data is stored or what security guards are in place, compliance can be tricky. At this point in the game, however, the organization retains liability for the data stored by a cloud service provider.
• Identity and Access Management: Organizations may run into the problem of identification and authentication systems not translating into the cloud accompanied by hesitation to employ two separate authentication systems. The NIST’s report recommends identity federation, or else single sign-on or cross-domain single sign-on.

The 60-page report covers a plethora of firsthand concerns organizations are grappling with in the migration to the cloud. If security has been a speed bump in your migration to the cloud, take advantage of the NIST’s detailed outline of things to plan for as you move forward.

What do you think of the NIST’s guidelines? Is it a major step forward in the standardization of such a hard-to-lasso technology?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.