NIST Releases Cloud Computing Security and Privacy Guidelines

March 15, 2011

In January of this year the National Institute of Standards and Technology (NIST) released two draft publications that both provide additional useful information to better understanding the issues raised by cloud computing.  

The NIST Definition of Cloud Computing (Special Pub. No. 800-145) sets forth five essential characteristics that define cloud computing, which are:

  • On-Demand Self-Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Three principal cloud service models are also described: (i) Software as a Service (SaaS), (ii) Platform as a Service (PaaS), and (iii) Infrastructure as a Service (IaaS).  Because the term “cloud computing” is used so loosely to refer to many variations on the central characteristics, these definitions should assist businesses and other organizations to have more meaningful discussions with organizational stakeholders and service providers about cloud services.

The NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Pub. No. 800-144) provides a useful overview and discussion of key security and privacy concerns.  Although this document is written as a set of guidelines for public procurement officials and managers involved with technology implementation, many of the considerations identified in the Guidelines are equally applicable to businesses.   Particularly helpful are the contract negotiation aspects sprinkled throughout the discussion.