Cyberdefense and Information Assurance

NIST Sketches Map to Secure Public Cloud for Feds

NIST has just published a draft set of guidelines for government agencies to follow to ensure security and privacy compliance when they use public cloud services, such as Google Apps for Government.  Written by NIST computer scientists Wayne Jansen and Timothy Grance, NIST Draft Special Publication 800-144 is the product of several years of work examining cloud computing, and comes just as the federal government is instituting a “cloud first” policy for new IT projects.  While it’s still in draft phase for comment, the recommendations included in it apply not just to federal agencies, but to any public sector organization looking at possibly using public cloud services.
Entitled “Guidelines on Security and Privacy in Public Cloud Computing” (PDF), it takes a deep dive on all of the concerns, precautions and policies that agencies at all levels should be aware of when looking at public cloud services, and even offers up the City of Los Angeles’ conversion to Google Apps for Government as a case study of what can go right and wrong in a migration to cloud. Google had to make some extraordinary contractual concessions to the City of Los Angeles to meet the city’s needs, and it’s not certain they would be able to be so flexible for many state and local governments’ requirements.
At a high level, Jansen and Grance’s recommendations fall into four major categories:
  1. “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.” Before even looking at cloud solutions, an organization should make certain that they fully understand the privacy and security requirements of the data that will be handled.  Not doing due diligence on all of the potential privacy and security issues in advance can lead to roadblocks to deployment later—or worse, major breaches in security or exposure of citizens’ private data. The City of Los Angeles was caught by surprise when it found that its cloud solution wasn’t in alignment with federal data protection regulations for public safety data, for example.
  2. “Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements. “ The financial advantage of cloud services usually comes from the same advantage that drove Henry Ford’s model of manufacturing efficiency: “You can have any color, as long as it’s black.”  Most public cloud services—be they infrastructure-as-a-service, platform-as-a-service, or software-as-a-service, were not built with public sector regulatory requirements in mind.  Agencies need to do an analysis of the gaps between what cloud providers have and what their own privacy and security demands require—and then determine whether the cost of getting that sort of solution from a cloud provider makes going forward with a project financially feasible.
  3. “Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.” Just because the application and data are secure at the back end in the provider’s cloud doesn’t ensure the overall security of the solution.  It’s easy to overlook the client side, which can create a number of potential security problems—especially if SaaS applications include support for mobile devices.  It’s important to take issues like how to lock down smart phones and other mobile devices from being able to gain access through cached credentials, for example, if they’re lost or stolen.   And there’s also the issue of how the public cloud service will integrate with identity management and established authentication standards already being used in the organization.
  4. “Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Outsourcing the infrastructure doesn’t mean an organization is outsourcing responsibility.  Public cloud should be handled like any managed service or outsourcing arrangement—agencies need to be able to ensure that security and privacy practices are applied consistently and appropriately in the cloud just as they are to internal IT resources.  That means that agencies should ensure that they have visibility into the operation of the cloud service , including the ability to monitor the security of the cloud assets, and continually assess how well security and privacy standards and practices are implemented within the cloud infrastructure.
Standard