New NIST Guidance Tackles Public Cloud Security

2 Other Special Publications Focus on Cloud Definitions, Virtualization
New NIST Guidance Tackles Public Cloud Security
The National Institute of Standards and Technology Wednesday issued two drafts on cloud computing, including the first set of guidelines for managing security and privacy in the cloud and another on cloud computing definitions. NIST issued new virtualization guidance, as well.

Special Publication 800-144 (Draft): Guidelines on Security and Privacy in Public Cloud provides an overview of the security and privacy challenges for public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment.

Safeguarding data in the public cloud isn't much different from other types of IT security. "It's the same advice we give for almost any deployment of IT because it is still the right thing to do," says NIST Senior Computer Scientist Tim Grance, who coauthored SP 800-144. "Take out the word 'cloud computing' and put in any major technology. You always want to carefully plan for security and privacy before you do those things rather than after you do them."

Among SP 800-144 key guidelines:

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
  • Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
  • Ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

Public comments on SP 800-144 should be submitted to NIST by Feb. 28 to NIST sees draft publications as solid guidance, but looks to the public, including experts in government, to make suggestions to improve the final versions of its reports.

SP 800-145 (Draft): The NIST Definition of Cloud Computing is a result of several years of documentation of cloud computing terminology by NIST researchers. NIST had posted those cloud computing definitions on its website. "We didn't change it remarkably from what was on the website, just a few minor, minor things," Grance says. "It's just sort of putting our ear to ground and listening to what the public and private sector are saying."

Comments on suggested changes or enhancements can be sent to by Feb. 28.

SP 800-125: Guide to Security for Full Virtualization Technologies describes security concerns associated with full virtualization technologies for server and desktop virtualization and provides recommendations. NIST says most existing recommended security practices apply in virtual environments and the practices described in SP 800-125 build on and assume the implementation of practices described in other NIST computer security publications.

Full virtualization provides a complete simulation of underlying computer hardware, enabling software to run without any modification. For cloud computing systems in particular, NIST says, full virtualization can increase operational efficiency because it can optimize computer workloads and adjust the number of servers in use to match demand, thereby conserving energy and information technology resources.

Intended for system administrators, security program managers, security engineer, SP 800-125 recommends that organizations:

  • Secure all elements of a full virtualization solution and maintain their security.
  • Restrict and protect administrator access to the virtualization solution.
  • Ensure that the hypervisor, the central program that runs the virtual environment, is properly secured.
  • Plan carefully the security for a full virtualization solution before installing, configuring and deploying it.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.