Security Requirements in Government Cloud Computing
One of the DLT Cloud Advisory Group’s mandates is to remain focused on the emerging threat landscape within cloud computing. We proactively engage the public sector community interested in cloud computing. We also actively contribute to create standards through our participation in various Standards Development Organizations.
Along with the Institute of Electrical and Electronics Engineers, the Cloud Standards Customer Council, and the Cloud Security Alliance, we are active contributors to the National Institute of Standards and Technology (NIST), a leading technology agency within the government. Recently, we have been assisting the NIST Cloud Computing Security Working Group’s (NCC-SWG) research efforts. The focus of NCC-SWG is to define the Federal roadmap for developing security standards and bestpractices for implementing cloud computing.
The NCC-SWG recently finalized a white paper titled: Challenging Security Requirements in US Government Cloud Computing Adoption. They identify a list of challenging security requirements that Federal managers perceive as impediments to the adoption of cloud computing. The document focuses on the description of the requirements and identifies mitigations for each issue.
- Process-oriented Security Requirements: These requirements rely on human-centered processes, procedures, and guidance for mitigation.
- Technically-oriented Security Requirements: These issues are amenable to automated mitigation mechanisms or require technical development and/or research for mitigating solutions.
While cloud computing is still gaining momentum, the threat landscape is evolving more rapidly. Moving to public cloud computing involves a transfer of control and responsibility which complicates decision making for the federal acquisition of cloud services. This lack of control coupled with a rapidly evolving threat landscape against the cloud has caused federal managers to scramble for guidance.
The 18-month research project was wide and deep in scope, and the subsequent white paper was aimed at providing guidance for heterogeneous uses cases for cloud computing. The document is not intended to be a comprehensive list of the highest risks to federal data in a cloud environment. Instead, think of it as a practical look at documented concerns expressed by Federal managers. These apprehensions were noted by government officials and the private sector, and are explored within the whitepaper. The research identified whether the mitigations are process or technology focused.
You can read the white paper by clicking on this link: Challenging Security Requirements in US Government Cloud Computing Adoption.
Image courtesy of CloudProviderUSA.com