At the start 2012, concerns about the cloud, government regulations, loss of IT control, lack of consistent and mature standards, and data privacy eroded business confidence in both private and public computing. But over the course of 2012 and into 2013, several government and industry associations have launched initiatives to enable broader adoption of cloud computing models, all of which have several traits in common: A broader focus on the privacy of individual and company data, as well as the need for greater transparency on the part of service providers.
The National Institute of Standards and Technology (NIST) has long established itself as an authority on cloud computing with the NIST Definition of Cloud Computing (NIST SP 800-145), which became a default industry standard for the way cloud was defined. In January 2012, NIST followed this up with Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144), which provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
And, in May 2012, NIST released Cloud Computing Synopsis and Recommendations (NIST SP 800-146), which provides an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Together these documents provide IT staff and executives solid guidelines about compliance, governance, and security. In particular, “Cloud Computing Synopsis and Recommendations” lists the components required for secure cloud deployments, including the infrastructure layer, as well as requirements for the application stack. It details what service level agreements (SLA) expectations you should have from the cloud vendor and discusses responsibilities when outsourcing to the public cloud.
In Europe, The Article 29 Working Party established under the EU data privacy legislation made strong headway with resolving data privacy compliance concerns. On January 10, 2013, proposed amendments to the European Commission’s proposed General Data Protection Regulation were presented to LIBE Committee. While by no means final, proposed amendments centered around greater emphasis on individual privacy, with clarifications of terms such as personal data, requirements for service providers, and data controllers to communicate privacy policies, more significant fines, and heavier scrutiny over international data transfers and the recommendation to appoint data protection officers for providers who process certain volumes of data.
Finally, industry associations such as the Cloud Security Alliance (CSA) have teamed up with the private sector to provide organizations with tools to build in data security, privacy, and reliability factors as well as key compliance and regulatory standards into their IT practices. Microsoft, for example, has produced a free tool, the Cloud Security Readiness Tool (CSRT), which uses the Cloud Control Matrix (CCM), a framework that maps multiple standards and regulations to standard IT policy domains to ease compliance burdens.
The CSRT is an interactive 10- to 15-minute survey of 27 questions that spans several security, privacy, and reliability topic areas, including capabilities for security policies, personnel, physical security, privacy, asset and risk management, and reliability. The output is a custom report that can help organizations speed up internal evaluations of cloud models and providers against critical risk areas and compliance with industry standards.
I have highlighted only a few examples above, and industry movement is not limited to just these instances. I will be continuing to watch this space and will be blogging about it regularly at Internet Evolution. What are your thoughts?
— Evelyn de Souza is a datacenter security strategy consultant and co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM). She blogs at RavenhairedMaven and is on Twitter @e_desouza.
But when was the last time Amazon had an outage? They are rock solid, and it must have been years ago! Remember a year or two ago when Anonymous tried to DDoS them offline and they failed? Hilarious.
@Alison Diana, there are private sector solutions available for free from everything from SaaS security to BYOD policies. Unfortunately I think that companies often look inwards too often and not enough to what's out there, or to specialty consultants (for cost savings).
Amazon has had an outage or two - so have many enterprise networks too, in fact some would argue that even public cloud computing can be more secure than some enterprise deployments.
Amazon has had an outage or two - so have many enterprise networks too, in fact some would argue that even public cloud computing can be more secure than some enterprise deployments.
Kim, - i tend to associate them with SANS reading room as well, i'm not so sure if i'm accurate...i came to learn that a lot of organizations get security policy templates from SANS.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
I was in London a few weeks ago, and splashed across the Metro, a paper that circulates freely on the Underground, was a story about a messaging service that had breached data privacy laws by asking subscribers for access to contact lists and storing that information on the company's servers in California. This application had about 300 million users globally, so large volumes of sensitive data were at stake.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
Dave Austin, communications director for Multnomah County, discusses why he's excited to move from the county's "old and clunky" intranet and onto an open-source platform, and how this change will help him do his job.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
