Quite topically hot on the heels of Roke Manor winning the only conformance testing facility comes theUS National Institute of Standards and Technology (NIST) Guidelines  on Security and Privacy in Public Cloud Computing and an intriguing read with some nice new acronyms such as Simple Object Access Protocul SOAP  with Data Sanitisation, aka expunge, degauss, and overwrite.

Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organisation.

While aspects of these characteristics have been realised to a certain extent, cloud computing remains a work in progress.

This NIST publication provides an overview of the security and privacy challenges pertinent to publiccloud computing and points out considerations organisations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

Two types of service agreements exist: predefined non-negotiable agreements and negotiated agreement. There's security and privacy upsides, staff specialisations, platform strength, resource availability, back up and recovery, mobile endpoints and data concentration, shared multi-tenant environments, internet facing services, and loss of control.

Cloud computing promises to have far-reaching effects on the systems and networks of federal agencies and other organisations, notes NIST. Emphasis on the cost and performance benefits of public cloud computing should be balanced with the fundamental security and privacy concerns of federal agencies and organisations have with these computing environments.

Many of the features that make cloud computing attractive can also be at odds with traditional security models and controls. Several critical pieces of technology, such as a solution for federated trust, are not yet fully realised, impinging on successful cloud computing deployments.

Determining the security of complex computer systems composed together is also a long-standing security issue that plagues large-scale computing in general, and cloud computing in particular. Attaining high assurance qualities in system implementations has been an elusive goal of computer security researchers and practitioners and, as demonstrated in the examples given in this report, is also a  work in progress for cloud computing.

Nevertheless, public cloud computing is a compelling computing paradigm that agencies should consider for their information technology solution set. Accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organisation to fulfill.

Federal agencies must ensure that any selected public cloud computing solution is configured, deployed, and managed to meet the security, privacy, and other requirements of the organisation. Organisational data must be protected in a manner consistent with policies, whether in the organisation’s computing center or the cloud.

The organisation must ensure that security and privacy controls are implemented correctly and operate as intended, throughout the system lifecycle. The transition to an outsourced, public cloud computing environment is in many ways an exercise in risk management.

Risk management entails identifying and assessing risk, and taking steps to reduce it to an acceptable level. Assessing and managing risk in cloud computing systems requires continuous monitoring of the security state of the system, and can prove challenging, since significant portions of the computing environment are under the control of the cloud provider and likely beyond the organisation’s purview.

Throughout the system lifecycle, risks that are identified must be carefully balanced against the security and privacy controls available and the expected benefits from their utilisation. Too many controls can be inefficient and ineffective.

Cloud computing "the most hyped subject in IT today". (Courtesy: Gartner Hype Cycle)


Federal agencies and other organisations must work diligently to maintain an appropriate balance between the number and strength of controls and the risks associated with cloud computing solutions.

Cloud computing is a new computing paradigm still emerging. Technology advances are expected to improve performance and other qualities of services from public clouds, including privacy and security. Many agency systems are long lived and, if transitioned to a public cloud, will likely experience technology and other changes over the course of their lifetime.

Cloud providers may decide to sell or merge their offerings with other companies; service offerings may be eclipsed by those of another cloud provider or fall into disfavour; and organisations may be required to re-compete an existing contract for cloud services, when all option years have been exhausted. Eventually having to displace some systems to another public cloud is a distinct possibility that federal agencies and other organisations must not overlook.

BRITISH STANDARDS: DATA PROTECTION & LEGAL ISSUES 

Curious to discover what the redoubtable British Standards Institute offered along these lines discloses 
BS 10012:2009 Data protection. Specification for a personal information management system and
BIP 0117 Cloud Computing. A practical Introduction to the legal Issues but nothing as yet specifically for government computing.

Published in May 2009 BS 10012 has been developed to help companies establish and maintain a best practice personal information management system that complies with the Data Protection Act 1998. It is the first standard that relates to the management of personal information. By following the framework set out within BS 10012, organisations can improve their data storage protection and manage data processing and data transfers better – so that they comply with legislation.

Published : November 2010 BIP 0117 is a book introducing cloud computing to anyone who is new to this internet concept. Well researched and thorough, BIP 0117 compares the development of this new computing paradigm to other ways of buying computing resource.

It also summarises legal liability and issues that could arise – some unique to cloud and other more generic points. The book highlights factors that should be taken into account to ensure data storage protection and data security in the cloud. BIP 0117 was written to give a practical, hands-on resource for anyone who has bought or provides cloud computing services. 

Gail Purvis