The National Institute of Standards and Technology announced that it has issued two draft documents on cloud computing for public comment, including a set of guidelines for managing security and privacy issues in cloud computing. The agency also has set up a NIST Cloud Computing Collaboration site to enable public communication with NIST cloud research working groups.
“Cloud computing” is when you upload, store and access your data at an online service owned or operated by others. Millions of consumers use cloud computing services such as Web-based e-mail, online photo or video databases, or Internet calendar services. The federal government has made a concerted effort to use cloud services. In November, the Office of Management and Budget announced: “We are reducing our data center footprint by 40 percent by 2015 and shifting the agency default approach to IT to a cloud-first policy as part of the 2012 budget process.” In December, General Services Administration said that it had entered into a 5-year, $6.7-million contract with Google and Unisys to use Gmail and other cloud services from Google. Also in December, Microsoft made a deal with the Agriculture Department “to supply online e-mail, collaboration and other online applications to the agency’s 120,000 employees.” (For a look at some of the possible privacy and security problems with cloud computing, read a previous post.)
Researchers have now published A NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145). NIST scientists are looking for feedback to determine if this definition remains valid or needs modification. […]
Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) provides an overview of the security and privacy challenges for public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. The key guidelines recommended to federal departments and agencies, and applicable to the private sector, include:
- Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
- Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
- Ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
Comments should be sent by e-mail to 800-144comments [at] nist.gov no later than February 28, 2011.