NIST report aims to help U.S. agencies deploy cloud apps

Cloud computing can provide value only if security, management is properly planned, NIST says

Organizations that are deploying public cloud computing applications need to pay close attention to security and management risks, the National Institute of Standards and Technology said in a report released Wednesday.

"With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems," NIST noted in a document prescribing a set of security and privacy guidelines for cloud computing. "Without proper governance, the organizational computing infrastructure could be transformed into a sprawling, unmanageable mix of insecure services."

The issue is somewhat similar to the problems created when individual employees and small groups set up rogue wireless access points in an enterprise network, the report noted.

NIST prepared the Guidelines on Security and Privacy in Public Cloud Computing in response to a directive from federal CIO Vivek Kundra.

As part of his effort to accelerate the government adoption of cloud computing Kundra asked NIST to develop a set of security standards and guidelines agencies can use when moving applications and data to the cloud.

The goal of the document is not to create fear among federal agencies, said Tim Grance, a computer scientist at NIST and an author of the report. Rather, the guidelines aim to prepare federal IT managers for cloud projects.

"Public cloud computing is a very viable choice" for government agencies, Grance said. "We are not by any means saying 'don't do it.' But you have to be careful. You got to make sure that [cloud computing] is part of a coherent overall strategic process."

NIST's 60-page document, currently open for public comment, provides a detailed analysis of many familiar cloud security and privacy issues.

For instance, the report highlights multiple compliance issues, such as those related to data location, facing cloud adopters.

Often, detailed information about the location of an organization's data is unavailable or not disclosed by the cloud provider, the report noted, making it hard for organizations to determine whether security controls are in place and if legal and regulatory requirements for protecting data are being met.

Similarly, U.S. federal agencies are required to comply with several security and privacy related mandates, the report notes. However, the degree to which cloud providers are willing to accept liability for data under their control remains largely untested, NIST said.

Organizations using public cloud computing systems relinquish direct control over many security aspects, and confer an unprecedented amount of trust in the provider. Moving to the cloud can sometimes exacerbate insider threat issues, raise questions about data ownership and control, and make risk assessment and management harder, NIST said.

The NIST report also highlights the need for organizations to pay attention to the architecture employed by the cloud provider, its support for identity and authentication mechanisms, and the controls it has for securing its servers and the data residing on them.

Such issues should be considered and addressed during the planning stages, not after cloud-based applications and data are deployed, Grance said.

Most large cloud computing providers aim to deliver cloud services at commodity prices by taking advantage of economies of scale, Grance said. Consequently, cloud providers typically aren't aware of the security and privacy requirements of individual organizations.

Sometimes, organizations may find that service agreements are not adequate for their needs. In such situations, organizations should negotiate agreements with their cloud providers in much the same way they would with an outsourcing agreement. But such negotiated agreements could make cloud computing less cost-effective, Grance added.

Many cloud services are becoming commoditized because providers are able to take advantage of massive economies of scale, Grance said. "If they have to do a lot of customization, then you are cutting into the commodity tradeoff," he said.

As a result, agencies that are planning on adopting cloud computing need to carefully consider the business case first, Grance said.

In some situations, organizations may find the need to implement compensating controls when adopting public cloud computing. Or they may benefit from moving to a private cloud.

"People like to think of this as an all or nothing [situation]" Grance said. The reality is that there is a "whole bunch of activities that you could put in a public cloud and it would be a perfectly reasonable thing to do," he said. "But you need to be careful of what you put in there."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITIT in Governmentsecuritygovernmentcloud computinginternet

More about etworkGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place