NIST report aims to help U.S. agencies deploy cloud apps
Cloud computing can provide value only if security, management is properly planned, NIST says
Computerworld - Organizations that are deploying public cloud computing applications need to pay close attention to security and management risks, the National Institute of Standards and Technology said in a report released Wednesday.
"With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems," NIST noted in a document prescribing a set of security and privacy guidelines for cloud computing. "Without proper governance, the organizational computing infrastructure could be transformed into a sprawling, unmanageable mix of insecure services."
The issue is somewhat similar to the problems created when individual employees and small groups set up rogue wireless access points in an enterprise network, the report noted.
NIST prepared the Guidelines on Security and Privacy in Public Cloud Computing in response to a directive from federal CIO Vivek Kundra.
As part of his effort to accelerate the government adoption of cloud computing Kundra asked NIST to develop a set of security standards and guidelines agencies can use when moving applications and data to the cloud.
The goal of the document is not to create fear among federal agencies, said Tim Grance, a computer scientist at NIST and an author of the report. Rather, the guidelines aim to prepare federal IT managers for cloud projects.
"Public cloud computing is a very viable choice" for government agencies, Grance said. "We are not by any means saying 'don't do it.' But you have to be careful. You got to make sure that [cloud computing] is part of a coherent overall strategic process."
NIST's 60-page document, currently open for public comment, provides a detailed analysis of many familiar cloud security and privacy issues.
For instance, the report highlights multiple compliance issues, such as those related to data location, facing cloud adopters.
Often, detailed information about the location of an organization's data is unavailable or not disclosed by the cloud provider, the report noted, making it hard for organizations to determine whether security controls are in place and if legal and regulatory requirements for protecting data are being met.
Similarly, U.S. federal agencies are required to comply with several security and privacy related mandates, the report notes. However, the degree to which cloud providers are willing to accept liability for data under their control remains largely untested, NIST said.
Organizations using public cloud computing systems relinquish direct control over many security aspects, and confer an unprecedented amount of trust in the provider. Moving to the cloud can sometimes exacerbate insider threat issues, raise questions about data ownership and control, and make risk assessment and management harder, NIST said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts