NIST SP800-144 “Guidelines on Security and Privacy in Public Cloud Computing” – A Relationship Manual

Participating in a public cloud means that there are two independent parties involved. When two parties are involved, a relationship is formed. Just like every kind of relationship… it is hard. Each party has their own expectations and often times these expectations are not met and feelings get hurt. There are arguments and frustrations and maybe you feel like you are not getting out of the relationship what you have put in… When starting a relationship with your cloud provider it is important to understand where they are coming from, what their goals are, and you must think of an exit strategy.

NIST has put out a relationship manual called “SP800-144 : Guidelines on Security and Privacy in Public Cloud Computing”. It was developed to help you (the client) with some of the expectations that you should have with the cloud provider. It is kind of like counseling. They are guidelines to help you determine whether this relationship is going to last or fall on it’s face. It was official developed for Federal Agencies but they agree that it can be used for other relationships as well.
It was important that NIST released this document. They are the ones that I find most reference when talking about Cloud Computing. Their definition is the one most of us go by. There are so many definitions and you might as well pick one. Just a reminder… NIST’s definition is : “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned  and released with minimal management effort or cloud provider interaction”

Below are the key attributes or guidelines and MY short interpretation of them:

A) Carefully plan the security and privacy aspects of cloud computing solutions before engaging them
[ME] Make sure you set up security objectives of your organization and that everyone understands them, especially when planning for outsourcing. Make sure you plan your security based on the sensitivity of the data. In relationship terms… what is your partner’s intention? Is this a serious relationship or something they take lightly?

B) Understand the public cloud computing environment offered by the cloud provider
[ME] Understand the cloud provider. What are their policies, what are their guidelines. Don’t take this outsourcing lightly and make sure you do your due diligence when it comes to the cloud provider. IN relationship terms… determine the good parts and the bad parts of your partner and what it is that you can “put up with”

C) Ensure that a cloud computing solution satisfies organizational security and privacy requirement
[ME] Interesting section… It is somewhat the same as the section B BUT it recognizes the fact that maybe a public cloud may not work for you. It is possible that the terms of the cloud provider just do not fit your needs. It is possible that your needs can only be supplied by a private cloud. In relationship terms… prepare for other options. Understand that the partner may not be right for you in the long run and you need an “exit” strategy (One note… don’t have an “exit” strategy in your personal relationship until you really need it. :)… I am just saying…)

D) Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing
[ME] So how are you, the client, accessing the data at the provider site? It is important to understand that accessing data that is located remotely can have security risks associated with it. These risks are inherent to any organization, whether you are a client of any type of cloud. In relationship terms: communication… communication… communication. Is it safe to tell them everything? Are the communication lines completely open or do some things get said under the breathe?

E) Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environment
[ME] Continuous monitoring is the main thread in this section. Of course it is important to monitor with the understanding of the security policies and    controls. You must be aware of all the aspects associated with the environment. Confidence in your provider can only be done through visibility and provisioning. Best line out of this section… “Cloud Computing is based on the security of many individual components”. In relationship terms…. relationships are hard and you need to work at them. If the pairing is right and you want to continue to move forward with them… work with them and show it. When it comes down to it, actions speak louder than words

If you want to review this document yourself…. click here

, , , ,

  1. #1 by David Hurst on February 10, 2012 - 11:10

    Good analysis and good advice.

    • #2 by erinkbanks on February 10, 2012 - 11:30

      Thank you!!! I appreciate that!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: