The National Institute of Standards and Technology (NIST) recently released a three volume work in progress relating to U.S. government adoption of cloud computing technologies. In the preliminary discussion, the security requirement is noted as “not considered to be fully met at present.” Cloud Providers, and cloud users, should be aware of the development of federal guidelines, as a new federal standard may have a significant effect on cloud computing standards of care. The full three volumes, and related information, may be found at the NIST cloud computing center, and the deadline for comments is December 2, 2011.
While NIST is working on developing federal contracting standards for security, non-governmental entities must also be concerned about security for compliance with data breach laws, in some particular industries for regulatory compliance, and generally for marketing considerations. Despite there being a variety of types of cloud computing customers, “as-a-service” providers often take a one-size-fits-all approach to security. Each such cloud provider generally has a security policy, and that is all it will agree to, regardless of whether it satisfies the individual customer’s particular security needs, in order to keep costs down, and such cloud providers seem hesitant to provide customers with unique services. A more cooperative discussion regarding security of data may be needed, both from a contractual agreement standpoint and a risk management standpoint, and the results of the discussion should be documented with appropriate contractual language.
Typically, outsourcing providers resist granting broad audit rights to its customers, and cloud computing “as-a-service” providers are even more reluctant. To protect the interests in the security of data, cloud users may demand a quality audit of an “as-a-service” provider which would require a significantly more in-depth look into the Cloud Computing Provider’s computer systems and propriety methods. As a customer is relinquishing even more control of its data than under a more traditional service contract, the desire/need for an audit should be greater. These concerns are also compounded if that “as-a-service” provider utilizes a third party hosting company to host the data and process the “as-a-service” provider’s application. In such an instance, customers should consider requiring the right to audit such third party host’s data centers and security systems.