Week 3
Guidelines
on Security and Privacy in Public Cloud Computing
NIST SP 800-144 provides an overview of the security and
privacy challenges facing public cloud computing and presents recommendations
that organizations should consider when outsourcing data, application and
infrastructure to a public cloud environment. The document provides insights on
threats, technology risks and safeguards related to public cloud environments
to help organizations make informed decisions about this use of this
technology.
Cloud system works with two parties, one is service provider
and the other is subscriber. Those two parties come together and they have
their own expectation, so it is important to understand, where they are coming
from, what their goals are, and in case the relationship doesn’t work than
business need an exit strategy. So NIST’s SP 800 documented to help
organizations with some of the expectations that they must between the client
and cloud provider.
Here are few recommended guidelines of successful
implementation of cloud solutions from NIST’s SP 800-144 for best practice to
establish secure and privacy challenges for cloud computing, threats, and risk:
Carefully
plan the security and privacy aspects of cloud computing solutions before
engaging them:
Organizations need to set up clear security objectives when
planning for outsourcing. Organizations need to plan security based on the
sensitivity of the data. Establish a clear understanding of what is the
intention of provider? Are they
compliance with all relevant organizational policies and that privacy is
maintained? How do they handle your customer’s data? Are they serious about the
relationship? Did you take a risk-based approach in analyzing available
security and privacy options and deciding about placing organizational
functions into a cloud environment?
Understand
the public cloud-computing environment offered by the cloud provider:
Are those service model presented by cloud provider is
compliance with your organization’s privacy and security model? If they are certified
and compliance, will they be ready to allow to verify their privacy and
security by independent assessment by your organization? Does the provider
assure to support security or privacy claims?
It is important to know detail about provider’s system
architecture of a cloud, this will help your organization and provider to
assess and manage risk accurately, also to mitigate risk by using appropriate
techniques and procedures for the regular monitoring of security state of the
system. So, SP 800-144 clearly provides framework and guideline for those
considerations to help both parties to achieve and share same organization
goal.
Ensuring
that a cloud computing solution satisfies organizational security and privacy
requirements:
For some of the organization, public cloud might not be the
best fit, what they could offer might not match your organization’s security
and privacy needs. So your organization might need a private cloud because of
risk perspective, and plausible threats your organization could have to face in
future. Some public cloud service provider might implement non-negotiable
service agreements, so make sure you have some negotiable service agreement on
the place for safe exit strategy, if the service provider does not fit for your
need. SP 800-144 provides guidelines for both parties to be compliance of
Federal Information Processing Standard 140, which is a negotiable agreement
that documents the assurances the cloud provider must furnish to corroborate
that organizational requirements are being met.
Ensure
that the client-side computing environment meets organizational security and
privacy requirements for cloud computing:
Client-side may access to cloud via web browsers;
lightweight PC/mobile applications to access, these various plug-ins, and
extension for web browsers could cause security threats, because many browser
add-ons may not provide automatic update, which could increase vulnerability.
As the growing trend of mobile apps, social media, personal Webmail and other
public sites are easy target for social engineering attacks, which could
provide security threats to the client. So, it is important to monitor cloud
computing security architecture, existing security and privacy measures and
employ additional measures, if necessary, to secure the client side. Just
think, remote access could cause security risk, so is it safe to provide all
your information to them?
Maintain
accountability over the privacy ad security of data and applications
implemented and developed in public cloud computing environments:
Is our cloud provider maintaining a secure cloud computing
solution by providing regular monitoring its security and privacy practice?
Does they monitor organization’s information assets and assessing the
implementation of policies, standards, procedures, controls, and guidelines to
establish and preserve the confidentiality, integrity, and availability of
information system resources? So, SP 800-144 provides both client and provider
a guideline to monitor security of the organization’s networks, information,
and systems, and risk mitigation.
Most of the time significant portion of computing
environment are under the cloud provider and beyond the clients reach. So,
organizations need to ensure that security and privacy are implemented
correctly, operates as intended, and meet organizational requirements.
Conclusion:
The main purpose NIST’s SP 800-144 is to provide an overview
of public cloud computing and the security and privacy challenges involved.
This document also provides a collective approach and some insight of threats,
technology risks, and safeguards for public cloud environments. So this
document provide a in-depth analysis and valuable suggestions to organization
to make their own decision based on own analysis of their need, and assess,
select, engage, and oversee the public cloud service that can best fulfill
those needs.
References
Jansen.
Wayne, Grance. Timothy, December 2011 “Guidelines on Security and
Privacy in
Public Cloud Computing”, Published on NIST Special Publication 800-144, Retrieved
From: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
Banks.
Erin K., (February 2012) “NIST SP800-144 Guidelines on Security and Privacy Public
Cloud Computing – A Relationship Manual”, Published on EMC.com, Retrieved From:
http://publicsectorblog.emc.com/erin_banks/nist-sp800-144-guidelines-on-security-and-privacy-in-public-cloud-computing-a-relationship-manual/
Great post and informative content about cloud computing. Now a days software sector related organizations are moving into cloud computing and cloud engineering services helps for them. Keep posting like these.
ReplyDelete