At the start 2012, concerns about the cloud, government regulations, loss of IT control, lack of consistent and mature standards, and data privacy eroded business confidence in both private and public computing. But over the course of 2012 and into 2013, several government and industry associations have launched initiatives to enable broader adoption of cloud computing models, all of which have several traits in common: A broader focus on the privacy of individual and company data, as well as the need for greater transparency on the part of service providers.
The National Institute of Standards and Technology (NIST) has long established itself as an authority on cloud computing with the NIST Definition of Cloud Computing (NIST SP 800-145), which became a default industry standard for the way cloud was defined. In January 2012, NIST followed this up with Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144), which provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
And, in May 2012, NIST released Cloud Computing Synopsis and Recommendations (NIST SP 800-146), which provides an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Together these documents provide IT staff and executives solid guidelines about compliance, governance, and security. In particular, “Cloud Computing Synopsis and Recommendations” lists the components required for secure cloud deployments, including the infrastructure layer, as well as requirements for the application stack. It details what service level agreements (SLA) expectations you should have from the cloud vendor and discusses responsibilities when outsourcing to the public cloud.
In Europe, The Article 29 Working Party established under the EU data privacy legislation made strong headway with resolving data privacy compliance concerns. On January 10, 2013, proposed amendments to the European Commission’s proposed General Data Protection Regulation were presented to LIBE Committee. While by no means final, proposed amendments centered around greater emphasis on individual privacy, with clarifications of terms such as personal data, requirements for service providers, and data controllers to communicate privacy policies, more significant fines, and heavier scrutiny over international data transfers and the recommendation to appoint data protection officers for providers who process certain volumes of data.
Finally, industry associations such as the Cloud Security Alliance (CSA) have teamed up with the private sector to provide organizations with tools to build in data security, privacy, and reliability factors as well as key compliance and regulatory standards into their IT practices. Microsoft, for example, has produced a free tool, the Cloud Security Readiness Tool (CSRT), which uses the Cloud Control Matrix (CCM), a framework that maps multiple standards and regulations to standard IT policy domains to ease compliance burdens.
The CSRT is an interactive 10- to 15-minute survey of 27 questions that spans several security, privacy, and reliability topic areas, including capabilities for security policies, personnel, physical security, privacy, asset and risk management, and reliability. The output is a custom report that can help organizations speed up internal evaluations of cloud models and providers against critical risk areas and compliance with industry standards.
I have highlighted only a few examples above, and industry movement is not limited to just these instances. I will be continuing to watch this space and will be blogging about it regularly at Internet Evolution. What are your thoughts?
— Evelyn de Souza is a datacenter security strategy consultant and co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM). She blogs at RavenhairedMaven and is on Twitter @e_desouza.
It's exciting to see how much movement is going on in the many areas surrounding cloud standards, Evelyn. As we've seen in so many prior areas of IT, standardization -- whether de facto or formal -- are crucial to most technologies' advancement. In the case of cloud, standardization is mandatory. Europe certainly is sending that message loud and clear! And I can't imagine many enterprises or organizations in security-conscious industries anywhere in the world entrusting their infrastructures and data to non-standard cloud solutions. Now we're getting a grasp on the real promise of cloud there's a true incentive for vendors, the channel, industry organizations, and end-customers to unite and create then abide by standards that help us all advance this technology.
Hopefully, enterprises or organizations who still are a little hesitant about cloud computing will actualy take the time to read these documents to gain a better level of confidence about moving over to the cloud. As you stated, these are great resources that can be used during the decision-making process.
@NicoleH, you know you took the words right out of my mouth. My opinion is that many companies have never even heard of NIST, and their guidelines surrounding cloud computing security, and sadly I doubt many IT departments care. Too bad, NIST is on the forefront of a lot these days.
Itsa good thing there's at least a body formalizing standards for important subjects of enterprise computing such as cloud security like the NIST. Although some organizations may not know about it now, with time they'll probably get to appreciate even the convenience of template policy documents and other handy things you get from NIST.
You and Nicole make a great point: Who, apart from NIST itself, should be doing a better job of broadcasting these standards to midsize enterprise managers? How can cloud vendors, service providers, and others that stand to benefit directly from increased adoption educate organizations about the existence of standards in a way that doesn't sound like advertising? What would ThinkerNetters recommend as most effective?
That's fantastic, @Nathan. What do these guidelines mean to your team, in terms of the way they'll help you operate, develop, and improve the SaaS/IaaS projects you're working on? Will they save you time? Money? Give you short-cuts? Thanks for sharing as much detail as you're comfortable with!
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
I was in London a few weeks ago, and splashed across the Metro, a paper that circulates freely on the Underground, was a story about a messaging service that had breached data privacy laws by asking subscribers for access to contact lists and storing that information on the company's servers in California. This application had about 300 million users globally, so large volumes of sensitive data were at stake.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
Dave Austin, communications director for Multnomah County, discusses why he's excited to move from the county's "old and clunky" intranet and onto an open-source platform, and how this change will help him do his job.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
You've heard the expression, "Out of the frying pan, into the fire?" Amazon lives in the fire. The e-tailer wins by keeping things hot for its competitors, employees, and itself, according to a new book.
Positec, a manufacturer of power tools for homes and commercial applications, achieves greater customer service flexibility and cuts hold times in half by using a cloud-based service to manage its call center.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?