Cloud's Security Challenge Isn't Just Technical
"Everybody is very interested in ensuring security," Peter Mell, project lead for the National Institute of Standards and Technology's cloud research team, said in an interview for a forthcoming story I'm researching on federal government cloud computing. "What I see most discussed is security compliance issues. Can I document it, implement it, test it and show that it meets the federal government requirements for the security assistance?"
The federal government requires agencies to certify private contractors' IT systems they use, a situation that isn't easily accomplished with cloud computing providers, an industry where no security standards have been adopted. Another compliance challenge involves the nascent security technologies cloud providers offer.
"Compliance is going to be a little bit tricky in the cloud space."
"Compliance is going to be tricky in the cloud space for several reasons, but one reason is that clouds are likely to use new security technologies that aren't well understood or widely adopted, and that will make it difficult to prove the required level of security to auditors and to authorizing officials," Mell said.
Mell leads a team of four other NIST computer scientists working on cloud computing security guidance. The first of the team's work will be found in an update of NIST Special Publication 800-37: A Security Life Cycle Approach. A draft of the publication should be available in June or July, with the final version published in August, Mell said. Click here to read more about the regulatory challenges agencies face in using cloud computing.
What information security obstacles do you see in implementing cloud computing? Please respond below.
Also, as I continue reporting on cloud computing security, you can help. Let me know of any government cloud computing projects, either those launched or planned. Contact me at echabrow@GovInfoSecurity.com.