The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.
In the month since it was published, the National Institute for Standards and Technology's draft definition of cloud computing has gotten plenty of notice, both from press and the industry, as one of the better working definitions of the often-hazy concept of cloud computing. However, the scope of NIST's work on cloud computing is much wider than just a definition.
Last November, NIST dedicated a team of computer scientists in its Computer Security Resource Center's Systems and Network Security group, led by senior computer scientist Peter Mell, to studying and promoting the "effective and secure" use of cloud computing, both in government and the private sector.
Since then, NIST's cloud computing project team has been working collaboratively with industry and government agencies -- including a close relationship with the General Services Administration -- on three big initiatives, including a series of publications describing cloud computing, Federal Information Security Management Act guidance as relates to cloud computing, and promotion (not creation) of cloud standards. The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.
The draft definition, which is now in its 14th iteration, was just the first step.
"We attempted to put our hands around the entire industry doing cloud computing, so we didn’t have the bias that any vendor did in their own products," Mell said in an interview. "We're scientists, and we weren’t content with fuzzy definitions that encompassed anything and everything. We took a taxonomical approach to it that was not always common in definitions, but enabled people to think about cloud computing in a way that got a lot of traction."
NIST will begin its series on cloud computing this summer with a document that will include a final definition of cloud computing, guidance on different cloud computing models, strategies for effectively and securely deploying cloud computing, and ways to integrate cloud computing into legacy IT processes.
Since it's required to provide guidance on securing unclassified government systems, NIST also is looking closely at how cloud computing fits in with government compliance regulations, most importantly FISMA. Mell said security controls described in existing NIST publications like Special Publication 800-53 are applicable, but admitted that case studies are lacking.
In many cases, Mell said, agencies place additional requirements on top of NIST minimum recommended requirements, limiting the potential use of cloud computing. For example, agency policies often require IT administrators to physically inspect data centers where agency data would be held, or have agency-specific security requirements that cloud providers might find it difficult to meet. This summer, NIST will release some FISMA guidance that would allow a group of agencies or a single agency to certify and accredit cloud providers for others, thus opening up some doors for otherwise hesitant agencies.
NIST also is particularly interested in the concept of cloud standards, though Mell admits they may take awhile. The government won't mandate cloud standards, Mell said, but it does see itself as a potential catalyst for the creation of cloud standards. "We believe data and application portability between clouds is very important, and we believe having standard cloud interfaces so you can provision resources from the cloud using standards-based mechanisms is very important," he said. Along with these elements, Mell is working to identify a minimum set of standards that might be necessary to guaranty portability and interoperability.
IT Service Management Must EvolveThe idea of technology being delivered as a service appeals to the 409 IT pros responding to our Service-Oriented IT Survey. But cloud providers are competing for that work, and CIOs are being selective.