Administrators and users of “public cloud computing” services have a new set of guidelines for managing risks to the security of the systems and the privacy of the stored data. The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, has followed up on its recent document offering a definition of cloud computing with a set of guidelines for privacy and security in cloud systems. While government agencies comprise the principal audience for NIST’s guidelines, private companies and organizations can benefit as well. End-user consumers, whose personal information is often most at risk of cyberattack, will also find the guidelines beneficial. We will focus on security and privacy considerations for businesses and other organizations.
The NIST published its report, “Guidelines on Security and Privacy in Public Cloud Computing,” in December 2011. It recommends a security and privacy environment based on careful planning that is tailored to a particular cloud provider’s system. Planners should take the needs of the organization into account when creating a cloud computing solution, paying close attention to the computing environments of both the service provider and the user. Finally, cloud computing environments require accountability, with constant monitoring of the system’s effectiveness.
Planning for Security and Privacy
Cloud computing represents a major departure from previous models of information management. Sensitive data no longer resides on a private server, but rather “in the cloud.” It therefore requires careful planning of organizing and storing data, as well as management of security and privacy over the life of the organization. Security and privacy are particularly vulnerable in the initial process of transferring data to new storage media, and also in the ongoing process of retrieving data for use.
Understanding the Cloud Environment
Organizations have unique computing needs, and cloud providers offer multiple types of services. To effectively manage risk, organizations must have a detailed understanding of the cloud provider’s services. In particular, an organization must understand its responsibilities, as opposed to those of the cloud provider, for security and privacy of information.
Ensuring the Cloud Service Meets the Organization’s Needs
An organization is unlikely to find a cloud provider whose default service precisely meets their needs for security and privacy. The organization should clearly articulate their particular risks and vulnerabilities, and should be prepared to negotiate services with a cloud provider to find the best possible service.
Ensuring the Client-Side Service Meets the Organization’s Needs
Cloud computing is two-sided. Organizations must ensure the security of their own users as well as the cloud service itself. Users access cloud providers’ services through web browsers, smartphone apps, and other software. Hackers can easily breach many client-side applications, so careful planning and understanding is crucial for an organization.
Accountability for Maintaining Security and Privacy
Once an organization has security protocols in place for its cloud computing system, it must maintain those protocols and review their effectiveness as a means of managing risk. This involves designating a responsible party to oversee security. It also requires an ongoing process of collecting and analyzing data on the use and integrity of the system, and of communicating with the cloud provider to resolve concerns and maintain updated technology.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.
Web Resources:
Guidelines on Security and Privacy in Public Cloud Computing (PDF), National Institute of Standards and Technology, December 2011
More Blog Posts:
Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011
Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011
Texas Schools Feeling the Effects of Drought, Fires, Prism Risk Management Blog, September 26, 2011
Photo credit: ‘Cloud computing openness’ by Sam Johnston [GFDL or CC-BY-SA-3.0], via Wikimedia Commons
Prism Risk Management, LLC 