NIST Formalizes Cloud Computing Definition

Last summer, Federal Chief Information Officer Vivek Kundra asked the National Institute of Standards and Technology (NIST) to help accelerate the federal government’s secure adoption of cloud computing by leading efforts to develop cloud standards and guidelines.

And NIST just delivered. The agency published two new draft documents on cloud computing. The first document, NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145) defines cloud computing at least as far as the government is concerned. The second document is Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144). The NIST definition hasn’t changed noticeably since its early definitions of cloud computing, which, according to NIST, cloud computing must consist of the following elements: on-demand self-service, broad network access, resource pooling, rapid elasticity and be a measured service.

The Guidelines on Security and Privacy in Public Cloud Computing provides a detailed overview of the associated challenges in public cloud, and provides a number of recommendations organizations should consider before turning to public clouds. The advice is what anyone familiar with risk management programs would expect: carefully consider the security and privacy aspects of public cloud; understand the cloud environment and whether it is appropriate for the business; and make sure clients are secured for cloud environments.

While the principles of good security and risk management don’t change in the cloud, the circumstances of the systems and the data do, says Pete Lindstrom, research director at Spire Security. “Your data will be co-located with other systems of other business units, and that means you are essentially inheriting the security of the highest-risk system on the hardware where your data or systems reside,” he says. “You can offset that risk by applying more stringent controls on those systems,” he says.

Essentially, analysts agree, consumers of public cloud services need to determine if the data is suitable to be stored and managed in a public cloud environment. “If a server on a public cloud is compromised, and your data is on that physical device, you could be at risk of having your systems comprised depending on how the security of the cloud provider is handled,” Lindstrom adds.

Another example would be if law enforcement raids a cloud service provider to seize a number of servers: They are likely to seize a physical server that contains virtual systems of the target organization as well as the data and services of others.

To mitigate such risks, NIST SP 800-144 provides a list of issues that need to be considered or put into action, such as handling regulatory compliance, identity management, availability, and incident response.

NIST’s guidance adds to existing work done by the Cloud Security Alliance and the European Network and Information Security Agency and it’s Cloud Computing Risk Assessment.

Source

Author
Recent Posts

Brian

Managing Partner at meshIP, LLC

Brian Byrne is the founder and Managing Partner of Dallas based meshIP, a technology services firm offering cloud computing strategies and services. He is an accomplished executive with senior management experience in all facets of the technology, telecom, cloud computing, and SaaS industries. He has proven success in developing, financing and executing strategic plans as well as launching new ventures. His background includes a record of significant achievement in international business development and his credentials include a MBA in Marketing and Management Strategy from the J.L. Kellogg Graduate School of Management at Northwestern University, a MS from the School of Computer Science at DePaul University, and a BBA in Finance from the University of Notre Dame.

He is also the inventor of the patented meshDETECT, Secure Prison Cell Phone Solutions.

LinkedIn Profile