The National Institute of Standards and Technology recently issued its Guidelines on Security in Privacy in Public Cloud (SP 800-144). The Guidelines can be found at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
They stress the importance of user responsibility in practicing sound security practices. NIST provides useful guidance when outsourcing data, applications and infrastructures to a vendor utilizing a cloud-based delivery model.
The recommendations include:
- Identify security, privacy, and other organizational requirements for cloud services to meet, as a criterion for selecting a cloud provider.
- Analyze the security and privacy controls of a cloud provider’s environment and assess the level of risk involved with respect to the control objectives of the organization.
- Evaluate the cloud provider’s ability and commitment to deliver cloud services over the target timeframe and meet the security and privacy levels stipulated.
- Ensure that all contractual requirements are explicitly recorded in the service agreement, including privacy and security provisions, and that they are endorsed by the cloud provider.
- Involve a legal advisor in the review of the service agreement and in any negotiations about the terms of service.
- Continually assess the performance of the cloud provider and the quality of the services provisioned to ensure all contract obligations are being met and to manage and mitigate risk.
- Alert the cloud provider about any contractual requirements that must be observed upon termination.
- Revoke all physical and electronic access rights assigned to the cloud provider and recover physical tokens and badges in a timely manner.
- Ensure that organizational resources made available to or held by the cloud provider under the terms of service agreement are returned or recovered in a usable form, and that information has been properly expunged.
Users of cloud services are ultimately responsible for security and privacy – accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider. Businesses must ensure that any selected public cloud computing solution is configured, deployed, and managed to meet the security, privacy, and other requirements of the organization. The transition to a computing environment is an exercise in risk management. Proper risk assessment and management can be challenging because major aspects of the system are controlled by the vendor. While appropriate controls are important, too many controls can be inefficient and ineffective. Companies should balance the extent and types of controls with the most likely risks arising out of the particular use of cloud computing.