Last week the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, released for public comment two “new” draft documents centered on cloud computing. The first is a NIST-codified Definition of Cloud Computing (Draft SP 800-145), and the second document is what NIST calls “the first set of guidelines for managing security and privacy issues in cloud computing,” titled Guidelines on Security and Privacy in Public Cloud Computing (the “Guidelines”, Draft SP 800-144). In conjunction with the release NIST has also unveiled a new NIST Cloud Computing Collaboration site, which includes various working group listservs and Wikis, to “enable two-way communication among the cloud community and NIST cloud research working groups.”
UPDATE: Richard Santalesa was interviewed by DataGuidance for his thoughts on NIST’s cloud computing drafts. See, USA: NIST seeks public comment on revised cloud computing definition and guidelines, available here.
While both of the released draft documents are open for public comments, due no later than Feb. 28, 2011 (comments with suggested changes or enhancements to the Definition should be sent to firstname.lastname@example.org; comments on the Guidelines should be sent to email@example.com), SP 800-145 is essentially identical to NIST’s existing Definition of Cloud Computing, Version 15, dated 10-7-09. However, rather than attempt to put the cart before the horse and issue a new or updated definition NIST has wisely chosen the tactic of opening the now officially numbered definition up for comment ahead of any subsequent revision.
For their part the Guidelines are the result of several years of active research that NIST has been part of in the area of our cloud computing. At 60 pages in length the Guidelines expressly recognize and start at the position that “Cloud computing can and does mean different things to different people.”
From there the Guidelines go on to provide a fairly robust overview of the inherent security and privacy issues raised by cloud computing, including a brief look at public cloud service agreements. The Guidelines also give a nod, whether by design or by accident, to the FTC’s recent privacy framework (discussed here, here, here with the report itself here), in urging that “security and privacy must be considered from the initial planning stage at the start of the systems development life cycle ” – essentially adopting the “privacy by design” approach proposed by the FTC, which highlights our belief that the combined influence of the Commerce Dept’s Greenpaper and the FTC’s privacy framework will make significant headway this year in setting parameters in the ongoing privacy debate.
Some key recommendations by the Guidelines, for both federal departments and agencies and private sector public cloud initiatives, include:
- Identifying when it is advisable and necessary to press for negotiation of offered cloud provider contracts and Service Level Agreements;
- The importance of not overlooking any security and privacy issues raised by the client-side of cloud computing efforts;
- Stressing accountability and monitoring throughout the cloud initiative, as well as communicating use of how and when cloud services are used;
- A detailed review of the security downside of cloud computing; and
- Compliance specifics, with necessary understanding of data location, data ownership, applicable laws and regulations, ramifications for e-discovery, etc.
A final noteworthy topic covered in the Guidelines is the issue of identity and access management, which also touches on the crucial issue of authentication.
The entire Guidelines are worth a quick reading, and, as always, feel free to contact us to discuss the Guidelines or your own planned or ongoing cloud computing initiatives.