NIST Issues Guidelines on Security and Privacy in Public Cloud Computing

3 Minute Read

February 7, 2011

Categories: Centre for Information Policy Leadership, Information Security, Online Privacy

The National Institute of Standards and Technology (“NIST”) has issued draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) (the “Guidelines”) for public comment. The Guidelines provide an overview of the security and privacy challenges pertinent to public cloud computing, and identify considerations for organizations outsourcing data, applications and infrastructure to a public cloud environment. The Guidelines are intended for use by federal agencies. Use in nongovernmental settings is voluntary.

The key guidelines from the report are summarized below:

Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

Specific security and privacy issues and recommendations include the following:

Issue	Precaution
Governance	Extend organizational practices pertaining to the policies, procedures and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing and monitoring of deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.
Compliance	Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, and electronic discovery requirements. Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.
Trust	Incorporate mechanisms into the contract that allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time. Institute a risk management program that is flexible enough to adapt to the continuously evolving and shifting risk landscape.
Architecture	Understand the underlying technologies the cloud provider uses to provision services, including the implications of the technical controls involved on the security and privacy of the system with respect to the full lifecycle of the system and for all system components.
Identity & Access Management	Ensure that adequate safeguards are in place to secure authentication, authorization and other identity and access management functions.
Software Isolation	Understand virtualization and other software isolation techniques that the cloud provider employs, and assess the risks involved.
Data Protection	Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned.
Availability	Ensure that during an intermediate or prolonged disruption or a disaster, critical operations can be resumed immediately and all other operations can be reinstituted in a timely and organized manner.
Incident Response	Understand and negotiate the contract provisions and procedures for incident response required by the cloud provider.

NIST requests that suggested changes or enhancements be sent to 800-144comments@nist.gov no later than February 28, 2011. The Centre for Information Policy Leadership is preparing comments.

Tags: Cloud Computing, National Institute of Standards and Technology, Outsourcing

Privacy & Information Security Law Blog

Search

Recent Posts

Categories

Tags

Archives