At the start 2012, concerns about the cloud, government regulations, loss of IT control, lack of consistent and mature standards, and data privacy eroded business confidence in both private and public computing. But over the course of 2012 and into 2013, several government and industry associations have launched initiatives to enable broader adoption of cloud computing models, all of which have several traits in common: A broader focus on the privacy of individual and company data, as well as the need for greater transparency on the part of service providers.
The National Institute of Standards and Technology (NIST) has long established itself as an authority on cloud computing with the NIST Definition of Cloud Computing (NIST SP 800-145), which became a default industry standard for the way cloud was defined. In January 2012, NIST followed this up with Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144), which provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
And, in May 2012, NIST released Cloud Computing Synopsis and Recommendations (NIST SP 800-146), which provides an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Together these documents provide IT staff and executives solid guidelines about compliance, governance, and security. In particular, “Cloud Computing Synopsis and Recommendations” lists the components required for secure cloud deployments, including the infrastructure layer, as well as requirements for the application stack. It details what service level agreements (SLA) expectations you should have from the cloud vendor and discusses responsibilities when outsourcing to the public cloud.
In Europe, The Article 29 Working Party established under the EU data privacy legislation made strong headway with resolving data privacy compliance concerns. On January 10, 2013, proposed amendments to the European Commission’s proposed General Data Protection Regulation were presented to LIBE Committee. While by no means final, proposed amendments centered around greater emphasis on individual privacy, with clarifications of terms such as personal data, requirements for service providers, and data controllers to communicate privacy policies, more significant fines, and heavier scrutiny over international data transfers and the recommendation to appoint data protection officers for providers who process certain volumes of data.
Finally, industry associations such as the Cloud Security Alliance (CSA) have teamed up with the private sector to provide organizations with tools to build in data security, privacy, and reliability factors as well as key compliance and regulatory standards into their IT practices. Microsoft, for example, has produced a free tool, the Cloud Security Readiness Tool (CSRT), which uses the Cloud Control Matrix (CCM), a framework that maps multiple standards and regulations to standard IT policy domains to ease compliance burdens.
The CSRT is an interactive 10- to 15-minute survey of 27 questions that spans several security, privacy, and reliability topic areas, including capabilities for security policies, personnel, physical security, privacy, asset and risk management, and reliability. The output is a custom report that can help organizations speed up internal evaluations of cloud models and providers against critical risk areas and compliance with industry standards.
I have highlighted only a few examples above, and industry movement is not limited to just these instances. I will be continuing to watch this space and will be blogging about it regularly at Internet Evolution. What are your thoughts?
— Evelyn de Souza is a datacenter security strategy consultant and co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM). She blogs at RavenhairedMaven and is on Twitter @e_desouza.
If I remember rightly, NIST is also involved in FedRAMP -- the development of cloud standards by the federal government. That's probably another thing a lot of enterprises haven't heard of.
That's fantastic, @Nathan. What do these guidelines mean to your team, in terms of the way they'll help you operate, develop, and improve the SaaS/IaaS projects you're working on? Will they save you time? Money? Give you short-cuts? Thanks for sharing as much detail as you're comfortable with!
You and Nicole make a great point: Who, apart from NIST itself, should be doing a better job of broadcasting these standards to midsize enterprise managers? How can cloud vendors, service providers, and others that stand to benefit directly from increased adoption educate organizations about the existence of standards in a way that doesn't sound like advertising? What would ThinkerNetters recommend as most effective?
Itsa good thing there's at least a body formalizing standards for important subjects of enterprise computing such as cloud security like the NIST. Although some organizations may not know about it now, with time they'll probably get to appreciate even the convenience of template policy documents and other handy things you get from NIST.
@Mitch, I'm one of them! I currently work for a Cloud telecom provider, and I'm doing projects involving SaaS and IaaS. You can bet that I will be passing these NIST guidelines onto my staff.
@NicoleH, you know you took the words right out of my mouth. My opinion is that many companies have never even heard of NIST, and their guidelines surrounding cloud computing security, and sadly I doubt many IT departments care. Too bad, NIST is on the forefront of a lot these days.
Hopefully, enterprises or organizations who still are a little hesitant about cloud computing will actualy take the time to read these documents to gain a better level of confidence about moving over to the cloud. As you stated, these are great resources that can be used during the decision-making process.
It's exciting to see how much movement is going on in the many areas surrounding cloud standards, Evelyn. As we've seen in so many prior areas of IT, standardization -- whether de facto or formal -- are crucial to most technologies' advancement. In the case of cloud, standardization is mandatory. Europe certainly is sending that message loud and clear! And I can't imagine many enterprises or organizations in security-conscious industries anywhere in the world entrusting their infrastructures and data to non-standard cloud solutions. Now we're getting a grasp on the real promise of cloud there's a true incentive for vendors, the channel, industry organizations, and end-customers to unite and create then abide by standards that help us all advance this technology.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
I was in London a few weeks ago, and splashed across the Metro, a paper that circulates freely on the Underground, was a story about a messaging service that had breached data privacy laws by asking subscribers for access to contact lists and storing that information on the company's servers in California. This application had about 300 million users globally, so large volumes of sensitive data were at stake.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
Dave Austin, communications director for Multnomah County, discusses why he's excited to move from the county's "old and clunky" intranet and onto an open-source platform, and how this change will help him do his job.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
