The National Institute of Standards and Technology (“NIST”) has issued draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) (the “Guidelines”) for public comment. The Guidelines provide an overview of the security and privacy challenges pertinent to public cloud computing, and identify considerations for organizations outsourcing data, applications and infrastructure to a public cloud environment. The Guidelines are intended for use by federal agencies. Use in nongovernmental settings is voluntary.

The key guidelines from the report are summarized below:

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
  • Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
  • Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

Specific security and privacy issues and recommendations include the following:

Issue

Precaution

Governance
  • Extend organizational practices pertaining to the policies, procedures and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing and monitoring of deployed or engaged services.
  • Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.
Compliance
  • Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, and electronic discovery requirements.
  • Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.
Trust
  • Incorporate mechanisms into the contract that allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.
  • Institute a risk management program that is flexible enough to adapt to the continuously evolving and shifting risk landscape.
Architecture
  • Understand the underlying technologies the cloud provider uses to provision services, including the implications of the technical controls involved on the security and privacy of the system with respect to the full lifecycle of the system and for all system components.
Identity & Access Management
  • Ensure that adequate safeguards are in place to secure authentication, authorization and other identity and access management functions.
Software Isolation
  • Understand virtualization and other software isolation techniques that the cloud provider employs, and assess the risks involved.
Data Protection
  • Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned.
Availability
  • Ensure that during an intermediate or prolonged disruption or a disaster, critical operations can be resumed immediately and all other operations can be reinstituted in a timely and organized manner.
Incident Response
  • Understand and negotiate the contract provisions and procedures for incident response required by the cloud provider.

NIST requests that suggested changes or enhancements be sent to 800-144comments@nist.gov no later than February 28, 2011.  The Centre for Information Policy Leadership is preparing comments.