Participating in a public cloud means that there are two independent parties involved. When two parties are involved, a relationship is formed. And just as it happens with any kind of relationship – each party has their own expectations. If they don’t get met – feelings might get hurt. Arguments and frustrations are normal, and it’s possible to feel you are not getting out of the relationship what you are putting into it… Therefore, when starting a new relationship with your cloud provider it is important to understand where they are coming from, what their goals are, and in case the relationship proved not to work, you must think of an exit strategy.
National Institute of Standards and Technology (NIST) has put out a relationship manual called “SP800-144: Guidelines on Security and Privacy in Public Cloud Computing.” (See link to a document here) It was developed to help you (the client) with some of the expectations that you should have with the cloud provider. It is kind of counseling, a way to mediate the situation between two parties. A way to find the happy place. These are guidelines to help you determine whether the relationship is going to last and flourish or fall on its face. It was officially developed for Federal Agencies but it can be used for other relationships as well.
It was important that NIST released this document. They are the ones I find referenced the most when talking about Cloud Computing. There are so many definitions out there, and you might as well pick one. Just a reminder… NIST’s definition for Cloud Computing is: ”A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction”
Below are the key guidelines for a successful implementation of cloud solutions from NIST, and MY short interpretation of them:
A) Carefully plan the security and privacy aspects of cloud computing solutions before engaging them
[ME] Make sure you set up security objectives of your organization and that everyone understands them, especially when planning for outsourcing. Plan your security based on the sensitivity of the data. In relationship terms… what is your partner’s intention? Is this a serious relationship or something they take lightly?
B) Understand the public cloud computing environment offered by the cloud provider
[ME] Understand the cloud provider. What are their policies and guidelines? Don’t take this outsourcing lightly, and make sure you do your due diligence when it comes to the cloud provider. In relationship terms… determine the good and the bad about your partner and what it is that you can “put up with.”
C) Ensure that a cloud computing solution satisfies organizational security and privacy requirement
[ME] Interesting section… It is somewhat the same as the section B) BUT it recognizes the fact that maybe a public cloud may not work for you. It is possible that the terms of the cloud provider just do not fit your needs. It is possible that your needs can only be supplied by a private cloud. In relationship terms… prepare for other options. Understand that the partner may not be right for you in the long run and you need an “exit” strategy. (One note… don’t have an “exit” strategy in your personal relationship until you really need it. ).
D) Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing
[ME] So how are you, the client, accessing the data at the provider site? It is important to understand that accessing data that is located remotely can have security risks associated with it. These risks are inherent to any organization, whether you are a client of any type of cloud. In relationship terms: communication… communication… communication. Is it safe to tell them everything? Are the communication lines completely open or do some things get said under the breathe?
E) Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environment
[ME] Continuous monitoring is the main thread in this section. Of course it is important to monitor with the understanding of the security policies and controls. You must be aware of all the aspects associated with the environment. Confidence in your provider can only be done through visibility and provisioning. Best line out of this section… “Cloud Computing is based on the security of many individual components”. In relationship terms…. relationships are the best when the pairing is right and it just works. But even then you still need to do your share of the relationship work. Do you help each other out, take out the trash, and do your share of grocery shopping? When it comes down to it, actions speak louder than words.
If you want to review this document yourself…. click here http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf