The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on the provider’s shared equipment rather than on the organization’s own servers.

The new NIST security guidelines do not recommend any particular services, providers, or service models; instead, the guidelines highlight the steps organizations should take and the issues they should consider when evaluating any public cloud service.

The NIST guidelines recommend that organizations:

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. Security and privacy should be considered at the initial planning stage and throughout the system lifecycle. “Attempting to address security and privacy issues after implementation and deployment is not only much more difficult and expensive, but also exposes the organization to unnecessary risk.”
  • Understand the public cloud computing environment offered by the cloud provider. Organizations should establish a clear delineation of the respective responsibilities of the organization and the cloud provider; analyze the technologies and system architecture used by the cloud provider; and, as much as possible, independently verify providers’ security and privacy assurances.
  • Ensure that a cloud computing solution satisfies organizational security and privacy requirements. Organizations may need to negotiate non-standard agreements with public cloud providers to account for particular security or privacy needs, although non-standard agreements may reduce the economies of scale that make public cloud computing attractive. Alternatively, organizations should consider whether they can implement controls that compensate for a public service’s shortcomings, or whether using an internal private cloud would be more appropriate than relying on a public service.
  • Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. A compromised client device — such as a desktop computer infected with a keystroke logger or other malware — can undermine the security of any public cloud service the client accesses. Organizations considering a move to public cloud services should assess their existing policies for dealing with client-side threats such as vulnerable browser components, social-engineering attacks and lost mobile devices.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments. An organization should “conduct ongoing monitoring of the security of [the] organization’s networks, information, and systems.” Where it is not possible to directly monitor the cloud provider’s operations, the organization will need to assess its confidence in the provider’s security based on third-party audits or on other evidence the provider can offer about the effectiveness of its security controls. “Ultimately, the organization is accountable for the choice of public cloud and the security and privacy of the outsourced service.”

The guidelines are the latest effort from NIST to provide direction to federal agencies on the use of cloud computing services.  The Obama Administration’s Federal Cloud Computing Strategy, released in February 2011, set a goal “to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” The strategy gives NIST a “central role” in developing cloud-computing standards, in cooperation with the other agencies, the private sector and international bodies. In November, NIST released a draft roadmap for federal agencies looking to implement cloud technology, and previously NIST had published the government’s definition of cloud computing.