NIST guide tackles security challenges of public cloud computing
Draft starts with evolving definition of what the cloud is
Cloud computing is an increasingly popular but evolving paradigm that presents challenges to security along with its promises of greater efficiency and flexibility. The National Institute of Standards and Technology has proposed guidelines for addressing these challenges, together with a concise definition of cloud computing.
“Many of the features that make cloud computing attractive can also be at odds with traditional security models and controls,” says draft Special Publication 800-144, “Guidelines on Security and Privacy in Public Cloud Computing.”
The guidelines emphasize planning, awareness and accountability as agencies consider moving resources to the public cloud.
Advantages of cloud computing can come with a serious price tag
NASA explores the cloud with Nebula
One of the first challenges to be addressed in cloud computing is defining the term.
“Cloud computing can and does mean different things to different people,” the guidelines document states. The technology and concept is evolving, and NIST expects that the definition will change over time as well. The definition published in Draft SP 800-145 is intended to provide a starting place for discussing and defining security needs.
According to the short definition, “cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Essential characteristics identified are on-demand service, broad network access, resource pooling, rapid elasticity and measured service. Service models include cloud software as a service, cloud platform as a service and cloud infrastructure as a service. These can be deployed in any combination of private, public or community cloud models, depending on their management and how access to the resources is controlled.
“NIST intends this informal definition to enhance and inform the public debate on cloud computing,” the draft of SP 800-145 states. “Cloud computing is still an evolving paradigm. Its definition, use cases, underlying technologies, issues, risks, and benefits will be refined and better understood with a spirited debate by the public and private sectors.”
The NIST definition identifies a set of expected characteristics for cloud computing, but the agency notes in the proposed security guidelines that cloud computing remains a work in progress, which complicates the issue of security.
“The security challenges cloud computing presents are formidable, especially for public clouds whose infrastructure and computational resources are owned by an outside party that sells those services to the general public,” the guidelines state. The guidelines provide an overview of security and privacy challenges and points out considerations that organizations should take when outsourcing data, applications and infrastructure to a public cloud.
Key security and privacy guidelines are:
Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. As with any emerging area of IT, cloud computing should be approached carefully with due consideration to the sensitivity of data. To maximize effectiveness and minimize costs, security and privacy must be considered from the initial planning of the systems development life cycle.
Understand the computing environment offered by public cloud providers and ensure that the solution satisfies organizational security and privacy requirements. Cloud providers are generally not aware of a specific agency’s security and privacy needs, and agencies should require that any solution is configured, deployed, and managed to meet security, privacy, and other requirements.
Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. Cloud computing encompasses both a server and a client side, and the latter can be easily overlooked. As part of the overall cloud computing security architecture, agencies should review existing measures and employ additional ones as necessary to secure the client side.
Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments. Strong management practices are essential for operating and maintaining a secure cloud computing solution. In general, organizations should have security controls in place for cloud-based applications that are commensurate with or surpass those used if the applications were deployed in-house.
Comments on the draft documents should be submitted to firstname.lastname@example.org and to email@example.com by Feb. 28.