NIST Gives the [Public Sector] Cloud Thumbs Up
NIST (the National Institute of Standards and Technology) http://csrc.nist.gov/ has unveiled sets of guidelines for managing security and privacy issues in the Cloud. These proposals contain guidelines that I really like. While my focus is in the private sector, not the public, you can bet that I’ll be encouraging my clients and the vendors that I work with to adopt these NIST guidelines.
This is still a draft proposal “NIST Guidelines on Security and Privacy in Public Cloud Computing, SP800-144” and while NIST is focusing its efforts at public-sector organizations (government agencies, etc.), it won’t take long for the private sector to catch on and begin adopting these NIST Cloud computing standards.
Service Level Agreement (SLA): today’s Cloud provider typically dictates the terms of service to the subscriber. NIST is strongly recommending that this model be inverted, that the subscriber negotiates the SLA to better fit their organization’s concerns about security and privacy. What do you need to look for?
- Self-service: how much of the work will the subscriber have to do, how much will the Cloud provider do, and what’s the cost breakdown?
- Quota management: how are resources allocated, and what happens when you need or less?
- Resource metering: data flows can vary according to time of day, day of the week, week of the year. How will these variations be met?
- Hypervisor: is it secure? Is it efficient? Is it a mainstream product?
- Guest virtual machines: how many VMs, who are the subscribers, what is the continuity strategy for each VM?
- Supporting middleware: is it secure?
- Deployed applications: where will they reside? (hopefully not on a VM that’s supported by the same physical server as the database that serves up the data for these apps…)
- Data storage: how much, were (physically) is it located, are the storage disks being shared between subscriber organizations?
What to Negotiate? What questions do you need to ask when considering moving operations to the cloud?
- Are the Cloud provider’s employees vetted?
- Who owns the data, and what are the exit rights & procedures?
- Tenant applications: as a Cloud subscriber you will most likely be sharing a server and disk storage with other subscribers; how will the various subscribers’ applications and data be isolated from each another?
- Will your data be encrypted, and how? Will it be encrypted just at rest, or also while in transit? Will it be segregated from other companies’ data, and how?
- What kind of tracking and reporting services can you expect?
- Is the Cloud provider in full compliance with all laws and regulations that you, as an organization, are bound by?
- Does the Cloud provider use products (software, hardware, etc.) that meet federal & national standards? How do you know this?
Hold the Cloud provider accountable; make sure that audit mechanisms and tools are in place to:
- Determine how data is stored, used, and protected;
- Validate services (you don’t want to be under- or over-charged, after all);
- Verify policy enforcement (just because they say they do something…).
Where will your data be located? Cloud providers generally have a network of disk farms on which subscribers’ data is stored. Usually, detailed information about where the data is physically located is unavailable or not disclosed to the subscriber. Note that when data crosses national borders, legal, privacy and regulatory rules – and possibly even security rules – can be ambiguous or non-enforceable.
Earth to Enterprise, don’t forget the client side. Mobile devices connected to Cloud-based applications & databases can make maintaining physical and logical security very troublesome.
NIST gives the Cloud a thumbs up. Despite the obvious room for improvement, NIST ascertains that “…cloud computing is a compelling computing paradigm that agencies need to incorporate as part [of] their information technology set.”
For the original breaking news report go to CIO Insight, Security Slideshow, NIST Cloud Security Guidelines, www.cioinsight.com/c/a/Security/NIST-Cloud-Security-Guidelines-591748/
Best of luck with your Cloud projects, wishing you sunny days ahead!
For more reading on cloud computing emerging guidelines and standards:
www.nist.gov, Information Technology Portal, ITL, Computer Security Division
NIST Issues Cloud Computing Guidelines forManaging Security…
NIST Special Publication Helps to Demystify Cloud Computing