Standards body sets out cloud guidelines

NIST looks to make recommendations on security and privacy

The US government is setting out to address concerns about security in the cloud. The US National Institute of Standards and Technology has issued a draft document looking at issues such as privacy and security within cloud environments.

The institute has also sought to tackle the uncertainty and confusion that surrounds the technology by introducing a document that sets out a series of definitions of cloud computing.

The Guidelines on Security and Privacy in Public Cloud (registration required) examines some of the security issues facing cloud providers and customers and offers a series of recommendations for organisations to consider when outsourcing data, applications and infrastructure to a public cloud environment.

The report, written by NIST computer scientists Tim Grance and Wayne Jansen, stressed the importance of building in security from the outset. "To maximise effectiveness and minimize costs, security and privacy must be considered from the initial planning stage at the start of the systems development life cycle. Attempting to address security after implementation and deployment is not only much more difficult and expensive, but also more risky."

The report goes on to point out the importance of recognising that the cloud provider has little or no understanding of its customers' individual security requirements. "Organisations should require that any selected public cloud computing solution is configured, deployed, and managed to meet their security, privacy, and other requirements," warns the document.

Other issues for customers include ensuring that client-side computing environment meets the organisation's security and privacy requirements for cloud computing and that the organisation retains accountability for its data and applications deployed in the cloud.

The new cloud definition document,The NIST Definition of Cloud Computing, is NIST's contribution to the debate on cloud services. In its introduction, it points out that l"Cloud computing is still an evolving paradigm. Its definition, use cases, underlying technologies, issues, risks, and benefits will be refined and better understood with a spirited debate by the public and private sectors."

The NIST is looking for public comments on the documents, which must be submitted by 28 February.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Institute of Standards and TechnologyConfiguration / maintenancesecurityhardware systemsData Centre

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maxwell Cooter

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place