Administrators and users of “public cloud computing” services have a new set of guidelines for managing risks to the security of the systems and the privacy of the stored data. The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, has followed up on its recent document offering a definition of cloud computing with a set of guidelines for privacy and security in cloud systems. While government agencies comprise the principal audience for NIST’s guidelines, private companies and organizations can benefit as well. End-user consumers, whose personal information is often most at risk of cyberattack, will also find the guidelines beneficial. We will focus on security and privacy considerations for businesses and other organizations.
The NIST published its report, “Guidelines on Security and Privacy in Public Cloud Computing,” in December 2011. It recommends a security and privacy environment based on careful planning that is tailored to a particular cloud provider’s system. Planners should take the needs of the organization into account when creating a cloud computing solution, paying close attention to the computing environments of both the service provider and the user. Finally, cloud computing environments require accountability, with constant monitoring of the system’s effectiveness.
Planning for Security and Privacy
Cloud computing represents a major departure from previous models of information management. Sensitive data no longer resides on a private server, but rather “in the cloud.” It therefore requires careful planning of organizing and storing data, as well as management of security and privacy over the life of the organization. Security and privacy are particularly vulnerable in the initial process of transferring data to new storage media, and also in the ongoing process of retrieving data for use.
Understanding the Cloud Environment
Organizations have unique computing needs, and cloud providers offer multiple types of services. To effectively manage risk, organizations must have a detailed understanding of the cloud provider’s services. In particular, an organization must understand its responsibilities, as opposed to those of the cloud provider, for security and privacy of information.
Ensuring the Cloud Service Meets the Organization’s Needs
An organization is unlikely to find a cloud provider whose default service precisely meets their needs for security and privacy. The organization should clearly articulate their particular risks and vulnerabilities, and should be prepared to negotiate services with a cloud provider to find the best possible service.
Ensuring the Client-Side Service Meets the Organization’s Needs
Cloud computing is two-sided. Organizations must ensure the security of their own users as well as the cloud service itself. Users access cloud providers’ services through web browsers, smartphone apps, and other software. Hackers can easily breach many client-side applications, so careful planning and understanding is crucial for an organization. Read the rest of this entry »