NIST formalizes cloud computing definition, issues security and privacy guidance

Last summer, Federal Chief Information Officer Vivek Kundra asked the National Institute of Standards and Technology (NIST) to help accelerate the federal government’s secure adoption of cloud computing by leading efforts to develop cloud standards and guidelines.

And NIST just delivered. The agency published two new draft documents on cloud computing. The first document, NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145) defines cloud computing at least as far as the government is concerned. The second document is Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144). The NIST definition hasn’t changed noticeably since its early definitions of cloud computing, which, according to NIST, cloud computing must consist of the following elements: on-demand self-service, broad network access, resource pooling, rapid elasticity and be a measured service.

Also see “The cloud security survival guide

The Guidelines on Security and Privacy in Public Cloud Computing provides a detailed overview of the associated challenges in public cloud, and provides a number of recommendations organizations should consider before turning to public clouds. The advice is what anyone familiar with risk management programs would expect: carefully consider the security and privacy aspects of public cloud; understand the cloud environment and whether it is appropriate for the business; and make sure clients are secured for cloud environments.

While the principles of good security and risk management don’t change in the cloud, the circumstances of the systems and the data do, says Pete Lindstrom, research director at Spire Security. “Your data will be co-located with other systems of other business units, and that means you are essentially inheriting the security of the highest-risk system on the hardware where your data or systems reside,” he says. “You can offset that risk by applying more stringent controls on those systems,” he says.

MORE ABOUT CLOUD SECURITY

• 2010: Security for large-company cloud providers
• 2010: In security outsourcers we trust
• 2010: Akamai releases ‘game changing’ cloud-based payment service

Essentially, analysts agree, consumers of public cloud services need to determine if the data is suitable to be stored and managed in a public cloud environment. “If a server on a public cloud is compromised, and your data is on that physical device, you could be at risk of having your systems comprised depending on how the security of the cloud provider is handled,” Lindstrom adds.

Another example would be if law enforcement raids a cloud service provider to seize a number of servers: They are likely to seize a physical server that contains virtual systems of the target organization as well as the data and services of others.

To mitigate such risks, NIST SP 800-144 provides a list of issues that need to be considered or put into action, such as handling regulatory compliance, identity management, availability, and incident response.

NIST’s guidance adds to existing work done by the Cloud Security Alliance and the European Network and Information Security Agency and it’s Cloud Computing Risk Assessment.

NIST is requesting public comments on both documents through the end of February. Comments for SP 800 145 can be sent to 800-145comments@nist.gov, while comments for SP 800 144 can be sent to 800-144comments@nist.gov.

George V. Hulme is a freelance writer who specializes in security and technology. He can be found on Twitter as @georgevhulme.