NIST Issues Finalized Guidelines for Managing Security & Privacy in Public Cloud Computing
Say what you will about the federal government, the Nat'l Institute of Standards & Technology ("NIST"), part of the Department of Commerce, has certainly been busy over the past year releasing numerous special drafts and reports addressing cloud computing recommendations, security and issues. [Full disclosure: I'm a member of several NIST working groups, including one currently working on the NIST draft of Challenging Security Requirements for US Government Cloud Computing Adoption.] Carrying on with its cloud mission, NIST last week released the finalized 80-page version of its special publication Guidelines on Security and Privacy in Public Cloud Computing (NIST SP 800-144) (the "Guidelines"). The Guidelines provide, in NIST's description: "an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology."
According to NIST, SP 800-144 is geared for those involved in cloud computing initiatives; security personnel responsible for security and privacy measures for cloud computing; system and network administrators; and users of public cloud computing services.
In what's become a hallmark of the NIST's cloud reports, SP 800-144 is extensively cross-referenced and includes "a detailed list of Federal Information Processing Standards and NIST special publications that provide materials particularly relevant to cloud computing and are recommended to be used in conjunction with SP 800-144." This highlights one of the downsides of NIST's prodigious output production, namely, that reports are often complimentary and are best read and utilized with others. Page x of the Guidelines lists no fewer than fifteen other Special Publications that are "especially relevant to cloud computing and should be used in conjunction with this report." The upside is that each can be updated and refreshed to reflect the rapidly changing cloud and security landscape, but at the cost of keeping track of each additional report.
Given that public cloud computing offers significant security challenges that may not be present in private or hybrid cloud operations, NIST's Guidelines are a worthwhile resource and will help any cloud user interested in public cloud services review the many issues and concerns that should be addressed before data is stored up in a public cloud.
To discuss the Guidelines further, or your own specific cloud needs or cloud contracts and SLAs, feel free to contact me or any of the other attorneys at the InfoLawGroup.