NIST sets security approach for cloud computing

The National Institute of Standards and Technology has issued "Guidelines on Security and Privacy in Public Cloud Computing," Special Publication 800-144, which provides an overview of the security and privacy challenges facing public cloud computing. It marks the first set of principles for managing cloud security, NIST officials said.

The publication also presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology.

"Guidelines on Security and Privacy in Public Cloud Computing" was first issued as a draft for public comment in February 2011.

"Public cloud computing and the other deployment models are a viable choice for many applications and services,” said publication co-author Tim Grance. “However, accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfill."

The key guidelines include:

  • Carefully plan the security and privacy aspects of cloud computing solutions before implementing them.
  • Understand the public cloud computing environment offered by the cloud provider.
  • Ensure that a cloud computing solution — both cloud resources and cloud-based applications — satisfies organizational security and privacy requirements.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

SP 800-144 is geared toward system managers, executives and CIOs making decisions about cloud computing initiatives; security professional responsible for IT security; IT program managers concerned with security and privacy measures for cloud computing; system and network administrators; and users of public cloud computing services, NIST officials said.

The publication also offers a detailed list of Federal Information Processing Standards and NIST special publications that provide materials particularly relevant to cloud computing and are recommended to be used in conjunction with SP 800-144.

It won't be the last word from NIST on cloud security, said Donna Dodson, NIST's division chief of the computer security division and the deputy cyber security advisor.

Speaking on January 18 at an event co-sponsored by Federal Computer Week and ImmixGroup, she said NIST is working on revisions to another circular, SP 800-53, with a close look at cloud and mobile guidelines, according to ImmixGroup vice president of marketing Allan Rubin. SP 800-53 is titled "Recommended Security Controls for Federal Information Systems and Organizations."

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group