(This post was originally published on the Virtual Integrated System Blog )

As I mentioned in a recent post, the National Institute of Standards and Technology recently published a document outlining the risks of cloud computing and offering policies and procedures to help reduce those risks. While the guidelines aren’t official federal policy yet, they are a good starting point for agencies at any level of government thinking about using public clouds as a part of their cost-cutting and consolidation of IT services.

The core guidelines of the NIST document come down to four main steps in preparing for a public cloud solution:

1. “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.” Before even looking at cloud solutions, an organization should fully understand the privacy and security requirements of the data that will be handled. Not doing due diligence on all of the potential privacy and security issues in advance can lead to roadblocks later–or worse, major breaches in security and exposure of citizens’ private data. The City of Los Angeles was caught by surprise when it found its cloud solution wasn’t in alignment with federal data protection regulations for public safety data, for example.
2. “Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.” Most public cloud services–be they infrastructure-as-a-service, platform-as-a-service, or software-as-a-service–were not built with public sector regulatory requirements in mind. Agencies need to do an analysis of the gaps between what cloud providers offer and what their own privacy and security demands require–and then determine whether the cost of getting that sort of solution from a cloud provider makes going forward with a project financially feasible.
3. “Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.” Just because the application and data are secure at the back end in the provider’s cloud doesn’t ensure the overall security of the solution. It’s easy to overlook the client side, which can create a number of potential security problems–especially if SaaS applications include support for mobile devices. It’s important to consider issues like how to lock down smartphones and other mobile devices, preventing them from accessing internal resources through cached credentials, for example, if they’re lost or stolen. And there’s also the issue of how the public cloud service will integrate with identity management and established authentication standards already being used in the organization.
4. “Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Outsourcing the infrastructure doesn’t mean an organization is outsourcing responsibility. Public clouds should be handled like any other managed service or outsourcing arrangement–agencies need to ensure that security and privacy practices are applied consistently and appropriately in the cloud just as they are to internal IT resources. That means agencies should have visibility into the operation of the cloud service, including the ability to monitor the security of the cloud assets and continually assess how well security and privacy standards and practices are implemented within the cloud infrastructure.

At the end of the day, after assessing how well public cloud providers can handle the requirements of government applications, agencies may find that much of what they thought could be moved to a public cloud environment is better suited to a private cloud service.