Enterprise IT Watch Blog

Feb 7 2011   11:25PM GMT

Cloud security standards commissioned from the NIST by America’s CIO

Melanie Yarbrough Profile: MelanieYarbrough

In an effort to increase government adoption of cloud computing, America’s CIO Vivek Kundra commissioned the National Institute of Standards and Technology (NIST) to create the Guidelines on Security and Privacy in Public Cloud Computing. If the guidelines provide even a working definition of cloud computing and how to secure it, it would appear to be a success. From the report:

Cloud computing can and does mean different things to different people. The common
characteristics most share are on-demand scalability of highly available and reliable pooled
computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

But the standards aren’t just for the government’s benefit. If you’re company’s considering cloud computing, take some notes on how to secure your own data in someone else’s data center.

Planning Makes Perfect (Well, Almost)

Anyone can make a list of the difficulties to watch out for after they’ve occurred. Planning cloud migration before any applications are deployed is key to the smoothest of sailing in a still-emerging technology. The NIST cautions organizations to pay attention to several details about the cloud provider during the planning stages of cloud computing, not after.

  • Cloud provider’s architecture
  • Support for identity and authentication
  • Controls for server security and data security

Security Concerns

The NIST’s report includes a comprehensive list of security and privacy concerns that apply to cloud computing. Among the concerns every organization considering cloud computing will face are trust, architecture, software isolation, data protection, availability, incident response and three universal security concerns:

  • Governance: Organizational controls over employees is amplified by cloud computing. One of the many possibilities concerning IT departments from Europe to the United States is that parts of their enterprise are deploying cloud computing without their acknowledgment. Companies need to be sure that policies and standards for app development includes cloud computing as well. The NIST report recommends “a risk management program…that is flexible enough to deal with the continuously evolving and shifting risk landscape.”
  • Compliance: Since many cloud service providers don’t provide the customers with detailed information on where their data is stored or what security guards are in place, compliance can be tricky. At this point in the game, however, the organization retains liability for the data stored by a cloud service provider.
  • Identity and Access Management: Organizations may run into the problem of identification and authentication systems not translating into the cloud accompanied by hesitation to employ two separate authentication systems. The NIST’s report recommends identity federation, or else single sign-on or cross-domain single sign-on.

The 60-page report covers a plethora of firsthand concerns organizations are grappling with in the migration to the cloud. If security has been a speed bump in your migration to the cloud, take advantage of the NIST’s detailed outline of things to plan for as you move forward.

What do you think of the NIST’s guidelines? Is it a major step forward in the standardization of such a hard-to-lasso technology?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

6  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Pjb0222
    Nice document, but they failed to take a look at how it affects an organization's legal protections to data. Will all subpeonas come to the organization and allow the organization to respond or to the cloud provider which leaves the organization out of the loop on a legal action? This an other questions over legal compliance issues make public clouds risky.
    3,310 pointsBadges:
  • Salesforce Head of Platform Research says to change your cloud tune - Enterprise IT Watch Blog
    [...] CIO Vivek Kundra’s push to the cloud and the NIST’s Guidelines on Security and Privacy in Public Cloud Computing, there are still [...]
    0 pointsBadges:
  • Ignoring the cloud won’t save your job - Enterprise IT Watch Blog
    [...] on the brain, especially in an ever-evolving industry like IT. Add a high-profile case like the Obama administration’s cloud computing initiative and fears are exasperated. The recently released Brookings Institution study found that the [...]
    0 pointsBadges:
  • The mother of all IT budget cuts - Enterprise IT Watch Blog
    [...] 2011, almost a direct inverse of the private sector’s data center usage. Federal government CIO Vivek Kundra has been talking about cloud computing adoption for a while now, and is looking to the savings possible in the cloud, whether it’s built and [...]
    0 pointsBadges:
  • CloudSecurityGuy
    Cloud security standards have long been considered an unwieldy area. The CSA (Cloud Security Alliance) is a leader in security standard creation and implementation and has a set of standards specific to the cloud. The Cloud Controls Matrix (CCM) includes about 100 controls and assessment guidelines. At the ccskguide.org, we take a look at the various issues surrounding cloud computing and help prepare candidates for the CCSK Cloud Security Certification. To learn more about the CSA’s cloud security standards, check out our blog at: http://ccskguide.org/2011/06/cloud-security-standards/
    0 pointsBadges:
  • Is 15 years of Microsoft enough preparation to fix government IT? - Enterprise IT Watch Blog
    [...] the government overhaul of its data centers and restructuring move to the cloud, the White House has announced that Steven VanRoekel is Vivek Kundra’s successor. VanRoekel, [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: