- of
Everything's Negotiable
Non-negotiable service agreements -- in which the terms of service are prescribed completely by the cloud provider -- are generally the norm in public cloud computing. NIST recommends negotiated service agreements that address your organization’s specific concerns about security and privacy details.
What To Negotiate
Among the security and privacy details to work out with your public cloud vendor:
* vetting of employees
* data ownership and exit rights
* isolation of tenant applications
* data encryption and segregation
* tracking and reporting service effectiveness
* compliance with laws and regulations
* the use of validated products meeting federal or national standards
Don't overlook the client side
Cloud computing encompasses both a server and a client side. With emphasis typically placed on the former, the latter can be easily overlooked. Maintaining physical and logical security over clients can be troublesome, especially with embedded mobile devices such as smart phones.
Securing clients
As part of the overall cloud computing security architecture, NIST recommends that you review your organization's existing measures and employ additional ones, if necessary, to secure the client side. For example, banks are beginning to take the lead in deploying hardened browser environments that encrypt network exchanges and protect against keystroke logging.
Areas to watch
Cloud computing is heavily dependent on the individual security of each of its many components, including:
* self-service
* quota management
* resource metering
* hypervisor
* guest virtual machines
* supporting middleware
* deployed applications
* data storage
Shared multi-tenant environments
Public cloud services offered by providers have a serious underlying complication, says NIST -- subscribing organizations typically share components and resources with other subscribers that are unknown to them.
Accountability is key
Audit mechanisms and tools should be in place to:
1. determine how data is stored, protected, and used
2. validate services
3. verify policy enforcement.
Data location
A characteristic of many cloud-computing services is that detailed information about the location of an organization’s data is unavailable or is not disclosed to the service subscriber. When information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns
Where's the data?
Four data location concerns to be addressed:
1. whether the laws in the jurisdiction where the data was collected permit the flow
2. whether those laws continue to apply to the data post transfer
3. whether the laws at the destination present additional risks or benefits.
4. which technical, physical and administrative safeguards, such as access controls, apply.
Room to improve
The NIST says these key components of cloud computing security are not yet fully realized:1. A solution for federated trust
2. Determining the security of complex computer systems composed together
3. Attaining high-assurance qualities in implementations
Compelling computing paradigm
Despite concerns about security and privacy, the NIST concludes that "public cloud computing is a compelling computing paradigm that agencies need to incorporate as part [of] their information technology solution set."
Apple's MacBook Pro: 10 Reasons It Belongs in the Workplace
10 Ways to Develop Your Tech Talent
10 Products Apple Should Launch In the Next Year
With More Budget Comes Greater Responsibility for CIOs
CIOs and Lawyers: A Match Made in Heaven or Hell?
Writing Effective Email: Resist These 10 Cardinal Sins
