Guidance coauthor and NIST Computer Scientist Tim Grance says public cloud computing is a viable choice for many applications and services for enterprises to consider. "However," Grance says, "accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfill."
NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing provides an overview of the security and privacy challenges facing public cloud computing. It presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud.
NIST defines a public cloud as one in which the infrastructure and computational resources are made available to the public over the Internet and is operated by a provider delivering cloud services to consumers and, by definition, is external to the consumers' organizations.
In pursuing public cloud services, the SP 800-144 guidelines recommend that organizations:
- Carefully plan the security and privacy aspects of cloud computing solutions before implementing them.
- Understand the public cloud computing environment offered by the cloud provider.
- Ensure that a cloud computing solution - cloud resources and cloud-based applications - satisfy organizational security and privacy requirements.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
When NIST issued a draft of the guidance last winter (see New NIST Guidance Tackles Public Cloud Security), Grance said safeguarding data in a public cloud isn't much different from other types of IT security. "It's the same advice we give for almost any deployment of IT because it is still the right thing to do," he said. "Take out the word 'cloud computing' and put in any major technology. You always want to carefully plan for security and privacy before you do those things rather than after you do them."
NIST wrote SP 800-144 for system managers, executives and information officers making decisions about cloud computing initiatives; security professional responsible for IT security; IT program managers concerned with security and privacy measures for cloud computing; system and network administrators; and users of public cloud computing services.
The publication also provides a detailed list of Federal Information Processing Standards and NIST special publications that provide materials particularly relevant to cloud computing and are recommended to be used in conjunction with the guidance.