NIST creates cloud-computing team
The National Institute of Standards and Technology has created a new team to determine the best way to provide security for agencies that want to adopt the emerging technology called cloud computing, said Ron Ross, a senior computer scientist and information security researcher at NIST.
“The team will give our customers a sense of what kinds of risks they may be taking on by moving into that new territory,” Ross said today at the SaaS/Gov 2009 conference produced by the Software and Information Industry Association and market research firm Input.
Cloud computing refers to an arrangement in which an organization pays a service provider to deliver applications, computing power and storage via the Web.
Implementing cloud computing at agencies will be similar to how government organizations adopted and secured wireless technology, Ross said.
“When wireless came along, we didn’t really know a lot about how to protect it, but we developed that understanding as we went forward, and now we do a pretty good job of protecting wireless,” he said.
Security experts at NIST are responsible for figuring out how to make the new technology secure. Each agency will decide whether and to what extent it wants to adopt cloud computing.
NIST plans to demonstrate how current standards and guidelines for evaluating technology can be used for cloud computing, Ross said.
Federal agencies need to determine how to certify and accredit new technology when a service provider is involved, as is the case with cloud computing, and service providers will need to provide evidence to federal customers that they have accomplished the due diligence on security, he said.
Meanwhile, the team hopes to prepare NIST officials to handle agencies’ questions about cloud computing. “When customers ask us, ‘Is it a good way to go?’ or ‘Is it secure enough for us?’ we’re going to try and provide some of that information,” Ross said.
Doug Beizer is a staff writer for Federal Computer Week.