NIST Team Deeply Studying Cloud Computing - InformationWeek
Cloud // Software as a Service
12:00 PM
Connect Directly
[Cybersecurity] Costs vs. Benefits
Feb 28, 2017
This online event, hosted by the editors of Dark Reading, brings together IT security leaders, bus ...Read More>>

NIST Team Deeply Studying Cloud Computing

The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.

In the month since it was published, the National Institute for Standards and Technology's draft definition of cloud computing has gotten plenty of notice, both from press and the industry, as one of the better working definitions of the often-hazy concept of cloud computing. However, the scope of NIST's work on cloud computing is much wider than just a definition.

Last November, NIST dedicated a team of computer scientists in its Computer Security Resource Center's Systems and Network Security group, led by senior computer scientist Peter Mell, to studying and promoting the "effective and secure" use of cloud computing, both in government and the private sector.

Since then, NIST's cloud computing project team has been working collaboratively with industry and government agencies -- including a close relationship with the General Services Administration -- on three big initiatives, including a series of publications describing cloud computing, Federal Information Security Management Act guidance as relates to cloud computing, and promotion (not creation) of cloud standards. The cloud computing ambitions of federal CIO Vivek Kundra will likely only help to make NIST's work all the more important.

The draft definition, which is now in its 14th iteration, was just the first step.

"We attempted to put our hands around the entire industry doing cloud computing, so we didn’t have the bias that any vendor did in their own products," Mell said in an interview. "We're scientists, and we weren’t content with fuzzy definitions that encompassed anything and everything. We took a taxonomical approach to it that was not always common in definitions, but enabled people to think about cloud computing in a way that got a lot of traction."

NIST will begin its series on cloud computing this summer with a document that will include a final definition of cloud computing, guidance on different cloud computing models, strategies for effectively and securely deploying cloud computing, and ways to integrate cloud computing into legacy IT processes.

Since it's required to provide guidance on securing unclassified government systems, NIST also is looking closely at how cloud computing fits in with government compliance regulations, most importantly FISMA. Mell said security controls described in existing NIST publications like Special Publication 800-53 are applicable, but admitted that case studies are lacking.

In many cases, Mell said, agencies place additional requirements on top of NIST minimum recommended requirements, limiting the potential use of cloud computing. For example, agency policies often require IT administrators to physically inspect data centers where agency data would be held, or have agency-specific security requirements that cloud providers might find it difficult to meet. This summer, NIST will release some FISMA guidance that would allow a group of agencies or a single agency to certify and accredit cloud providers for others, thus opening up some doors for otherwise hesitant agencies.

NIST also is particularly interested in the concept of cloud standards, though Mell admits they may take awhile. The government won't mandate cloud standards, Mell said, but it does see itself as a potential catalyst for the creation of cloud standards. "We believe data and application portability between clouds is very important, and we believe having standard cloud interfaces so you can provision resources from the cloud using standards-based mechanisms is very important," he said. Along with these elements, Mell is working to identify a minimum set of standards that might be necessary to guaranty portability and interoperability.

Attend a Webcast on virtualization and cloud computing. It happens June 16. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll