February 03, 2011, 12:00 PM — Last summer, Federal Chief Information Officer Vivek Kundra asked the National Institute of Standards and Technology (NIST) to help accelerate the federal government's secure adoption of cloud computing by leading efforts to develop cloud standards and guidelines.
And NIST just delivered. The agency published two new draft documents on cloud computing. The first document, NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145) defines cloud computing at least as far as the government is concerned. The second document is Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144). The NIST definition hasn't changed noticeably since its early definitions of cloud computing, which, according to NIST, cloud computing must consist of the following elements: on-demand self-service, broad network access, resource pooling, rapid elasticity and be a measured service.
The Guidelines on Security and Privacy in Public Cloud Computing provides a detailed overview of the associated challenges in public cloud, and provides a number of recommendations organizations should consider before turning to public clouds. The advice is what anyone familiar with risk management programs would expect: carefully consider the security and privacy aspects of public cloud; understand the cloud environment and whether it is appropriate for the business; and make sure clients are secured for cloud environments.
While the principles of good security and risk management don't change in the cloud, the circumstances of the systems and the data do, says Pete Lindstrom, research director at Spire Security. "Your data will be co-located with other systems of other business units, and that means you are essentially inheriting the security of the highest-risk system on the hardware where your data or systems reside," he says. "You can offset that risk by applying more stringent controls on those systems," he says.
MORE ABOUT CLOUD SECURITY