Cloud // Software as a Service
News
6/3/2009
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NIST Team Deeply Studying Cloud Computing

The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.

In the month since it was published, the National Institute for Standards and Technology's draft definition of cloud computing has gotten plenty of notice, both from press and the industry, as one of the better working definitions of the often-hazy concept of cloud computing. However, the scope of NIST's work on cloud computing is much wider than just a definition.

Last November, NIST dedicated a team of computer scientists in its Computer Security Resource Center's Systems and Network Security group, led by senior computer scientist Peter Mell, to studying and promoting the "effective and secure" use of cloud computing, both in government and the private sector.

Since then, NIST's cloud computing project team has been working collaboratively with industry and government agencies -- including a close relationship with the General Services Administration -- on three big initiatives, including a series of publications describing cloud computing, Federal Information Security Management Act guidance as relates to cloud computing, and promotion (not creation) of cloud standards. The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.

The draft definition, which is now in its 14th iteration, was just the first step.

"We attempted to put our hands around the entire industry doing cloud computing, so we didn’t have the bias that any vendor did in their own products," Mell said in an interview. "We're scientists, and we weren’t content with fuzzy definitions that encompassed anything and everything. We took a taxonomical approach to it that was not always common in definitions, but enabled people to think about cloud computing in a way that got a lot of traction."

NIST will begin its series on cloud computing this summer with a document that will include a final definition of cloud computing, guidance on different cloud computing models, strategies for effectively and securely deploying cloud computing, and ways to integrate cloud computing into legacy IT processes.

Since it's required to provide guidance on securing unclassified government systems, NIST also is looking closely at how cloud computing fits in with government compliance regulations, most importantly FISMA. Mell said security controls described in existing NIST publications like Special Publication 800-53 are applicable, but admitted that case studies are lacking.

In many cases, Mell said, agencies place additional requirements on top of NIST minimum recommended requirements, limiting the potential use of cloud computing. For example, agency policies often require IT administrators to physically inspect data centers where agency data would be held, or have agency-specific security requirements that cloud providers might find it difficult to meet. This summer, NIST will release some FISMA guidance that would allow a group of agencies or a single agency to certify and accredit cloud providers for others, thus opening up some doors for otherwise hesitant agencies.

NIST also is particularly interested in the concept of cloud standards, though Mell admits they may take awhile. The government won't mandate cloud standards, Mell said, but it does see itself as a potential catalyst for the creation of cloud standards. "We believe data and application portability between clouds is very important, and we believe having standard cloud interfaces so you can provision resources from the cloud using standards-based mechanisms is very important," he said. Along with these elements, Mell is working to identify a minimum set of standards that might be necessary to guaranty portability and interoperability.


Attend a Webcast on virtualization and cloud computing. It happens June 16. Find out more and register.

Comment  | 
Print  | 
More Insights
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.