NIST Issues Long-Awaited Cloud GuidanceSP 800-146 Describes Cloud's Strengths, Weaknesses
NIST has published its long-awaited cloud computing guidance, Special Publication 800-146: Cloud Computing Synopsis and Recommendations, that addresses risk management and other security matters.
The National Institute of Standards and Technology says the new guidance explains cloud computing systems in plain language and provides recommendations for information technology decision makers, including chief information officers, information systems developers, system and network administrators, information system security officers and systems owners.
SP 800-146 furnishes details on cloud deployment; available services; economic considerations; technical characteristics, such as performance and reliability; typical terms of service and security; and risk management challenges. The guidance also recommends how and when cloud computing is appropriate and indicates the limits of current knowledge and areas for future research and analysis.
The document reviews the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing.
Inherently, the guidance states, the move to cloud computing is a business decision in which the business case should consider the relevant factors, such as readiness of existing applications for cloud deployment, transition and life-cycle costs, maturity of service orientation in existing infrastructure and other factors including security and privacy requirements.
"Cloud computing has been the subject of a great deal of commentary," the guidance authors write. "Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models and deployment models. This document describes cloud systems and discusses their strengths and weaknesses."