The National Institute of Standards and Technology (“NIST”) has issued draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) (the “Guidelines”) for public comment. The Guidelines provide an overview of the security and privacy challenges pertinent to public cloud computing, and identify considerations for organizations outsourcing data, applications and infrastructure to a public cloud environment. The Guidelines are intended for use by federal agencies. Use in nongovernmental settings is voluntary.
The key guidelines from the report are summarized below:
- Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
- Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
- Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
Specific security and privacy issues and recommendations include the following:
Issue |
Precaution |
Governance |
|
Compliance |
|
Trust |
|
Architecture |
|
Identity & Access Management |
|
Software Isolation |
|
Data Protection |
|
Availability |
|
Incident Response |
|
NIST requests that suggested changes or enhancements be sent to 800-144comments@nist.gov no later than February 28, 2011. The Centre for Information Policy Leadership is preparing comments.