You Know Cloud Security Is An Issue When . . .

July 1, 2011

It’s not often that matters that fall into the techy-wonk category make the editorial page of the NY Times.  So, it’s noteworthy that the lead editorial in yesterday’s Times expressed many of the commonly cited security and privacy concerns and risks associated with cloud computing.   The commentary was by no means of the doom-and-gloom variety and could be viewed as both a validator that the cloud is now just about as mainstream as any technology phenomenon — if the recent fanfare around Apple’s announcement of iCloud or the seemingly ubiquitous “Cloud with Confidence”  commercials by Cisco, among many other things, hasn’t already made that evident — and a harbinger of even more regulatory focus on ensuring online privacy and security, which has been simmering now for quite a while.   

Photo Credit: Mammatus Storm Clouds, by Derrich, Wikimedia Commons

PCI DSS Guidelines Issued for Virtualized Environments, including Cloud Computing

June 22, 2011

As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud.  Relevant legal rules and industry best practices standards are still catching up to this shift.  In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing.  Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment.    However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources. 

While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting.    The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance.  However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider. 

Link to Supplement

NIST Releases Cloud Computing Security and Privacy Guidelines

March 15, 2011

In January of this year the National Institute of Standards and Technology (NIST) released two draft publications that both provide additional useful information to better understanding the issues raised by cloud computing.  

The NIST Definition of Cloud Computing (Special Pub. No. 800-145) sets forth five essential characteristics that define cloud computing, which are:

  • On-Demand Self-Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Three principal cloud service models are also described: (i) Software as a Service (SaaS), (ii) Platform as a Service (PaaS), and (iii) Infrastructure as a Service (IaaS).  Because the term “cloud computing” is used so loosely to refer to many variations on the central characteristics, these definitions should assist businesses and other organizations to have more meaningful discussions with organizational stakeholders and service providers about cloud services.

The NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Pub. No. 800-144) provides a useful overview and discussion of key security and privacy concerns.  Although this document is written as a set of guidelines for public procurement officials and managers involved with technology implementation, many of the considerations identified in the Guidelines are equally applicable to businesses.   Particularly helpful are the contract negotiation aspects sprinkled throughout the discussion.