Security Slideshow: NIST Cloud Security GuidelinesBy Don Reisinger | Posted 02-16-2011
NIST Cloud Security Guidelines
Everything's NegotiableNon-negotiable service agreements -- in which the terms of service are prescribed completely by the cloud provider -- are generally the norm in public cloud computing. NIST recommends negotiated service agreements that address your organization's specific concerns about security and privacy details.
NIST Cloud Security Guidelines - Page 2
What To NegotiateAmong the security and privacy details to work out with your public cloud vendor:* vetting of employees* data ownership and exit rights* isolation of tenant applications* data encryption and segregation* tracking and reporting service effectiveness* compliance with laws and regulations* the use of validated products meeting federal or national standards
NIST Cloud Security Guidelines - Page 3
Don't overlook the client sideCloud computing encompasses both a server and a client side. With emphasis typically placed on the former, the latter can be easily overlooked. Maintaining physical and logical security over clients can be troublesome, especially with embedded mobile devices such as smart phones.
NIST Cloud Security Guidelines - Page 4
Securing clientsAs part of the overall cloud computing security architecture, NIST recommends that you review your organization's existing measures and employ additional ones, if necessary, to secure the client side. For example, banks are beginning to take the lead in deploying hardened browser environments that encrypt network exchanges and protect against keystroke logging.
NIST Cloud Security Guidelines - Page 5
Areas to watchCloud computing is heavily dependent on the individual security of each of its many components, including: * self-service* quota management* resource metering* hypervisor* guest virtual machines* supporting middleware* deployed applications* data storage
NIST Cloud Security Guidelines - Page 6
Shared multi-tenant environmentsPublic cloud services offered by providers have a serious underlying complication, says NIST -- subscribing organizations typically share components and resources with other subscribers that are unknown to them.
NIST Cloud Security Guidelines - Page 7
Accountability is keyAudit mechanisms and tools should be in place to:1. determine how data is stored, protected, and used2. validate services3. verify policy enforcement.
NIST Cloud Security Guidelines - Page 8
Data locationA characteristic of many cloud-computing services is that detailed information about the location of an organization's data is unavailable or is not disclosed to the service subscriber. When information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns
NIST Cloud Security Guidelines - Page 9
Where's the data?Four data location concerns to be addressed:1. whether the laws in the jurisdiction where the data was collected permit the flow2. whether those laws continue to apply to the data post transfer3. whether the laws at the destination present additional risks or benefits.4. which technical, physical and administrative safeguards, such as access controls, apply.
NIST Cloud Security Guidelines - Page 10
Room to improveThe NIST says these key components of cloud computing security are not yet fully realized:1. A solution for federated trust2. Determining the security of complex computer systems composed together3. Attaining high-assurance qualities in implementations
NIST Cloud Security Guidelines - Page 11
Compelling computing paradigmDespite concerns about security and privacy, the NIST concludes that "public cloud computing is a compelling computing paradigm that agencies need to incorporate as part [of] their information technology solution set."