The National Institute of Standards and Technology has been thinking cloud for a while — but now, NIST is getting serious about hammering out clear security requirements for Web-based computing applications and services.
NIST was tasked by federal Chief Information Officer Vivek Kundra with accelerating the formation of security guidelines to fast-track the federal adoption of the cloud. Kundra has been a high-profile federal advocate of cloud computing, announcing late last year a “cloud-first” policy for federal agencies.
And now, NIST is opening up the floor for public comments. The proposal, “Guidelines on Security and Privacy in Public Cloud Computing,” highlights security and privacy challenges related to public cloud computing as well as what steps organizations should take when migrating to the cloud.
“Cloud computing can and does mean different things to different people,” the report said, acknowledging that for all the progress made, “cloud computing remains a work in progress.”
One public cloud security pitfall seems like a no-brainer: Oftentimes, cloud providers are not aware of an agency or organization’s actual security needs. And, the solution seems just as clear-cut.
“Organizations should require that any selected public cloud computing solution is configured, deployed and managed to meet their security, privacy and other requirements,” the guidelines state.
Along with the security guidelines, NIST offered a clear-cut definition for cloud computing. NIST’s report includes five “essential” characteristics to identify what falls under the scope of the cloud:
On-demand self service, broad network access, resource pooling, rapid elasticity and measured service.
The recommended security guidelines and the cloud definition are open to comments from the public. NIST also launched a cloud-computing collaboration website to provide information and to further the dialogue between government researchers, agency technology chiefs and the broader public.