FRAMINGHAM 3 FEBRUARY 2011 - Last summer, Federal Chief Information Officer Vivek Kundra asked the National Institute of Standards and Technology (NIST) to help accelerate the federal government's secure adoption of cloud computing by leading efforts to develop cloud standards and guidelines.
And NIST just delivered. The agency published two new draft documents on cloud computing. The first document, NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145) defines cloud computing at least as far as the government is concerned. The second document is Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144). The NIST definition hasn't changed noticeably since its early definitions of cloud computing, which, according to NIST, cloud computing must consist of the following elements: on-demand self-service, broad network access, resource pooling, rapid elasticity and be a measured service.
The Guidelines on Security and Privacy in Public Cloud Computing provides a detailed overview of the associated challenges in public cloud, and provides a number of recommendations organizations should consider before turning to public clouds. The advice is what anyone familiar with risk management programs would expect: carefully consider the security and privacy aspects of public cloud; understand the cloud environment and whether it is appropriate for the business; and make sure clients are secured for cloud environments.
While the principles of good security and risk management don't change in the cloud, the circumstances of the systems and the data do, says Pete Lindstrom, research director at Spire Security. "Your data will be co-located with other systems of other business units, and that means you are essentially inheriting the security of the highest-risk system on the hardware where your data or systems reside," he says. "You can offset that risk by applying more stringent controls on those systems," he says.
Essentially, analysts agree, consumers of public cloud services need to determine if the data is suitable to be stored and managed in a public cloud environment. "If a server on a public cloud is compromised, and your data is on that physical device, you could be at risk of having your systems comprised depending on how the security of the cloud provider is handled," Lindstrom adds.
Another example would be if law enforcement raids a cloud service provider to seize a number of servers: They are likely to seize a physical server that contains virtual systems of the target organization as well as the data and services of others.
Sign up for Computerworld eNewsletters.