As companies struggle with how to develop cloud strategies that are both cost effective and protect sensitive consumer and corporate data, the National Institute of Standards and Technology (NIST) can provide hands-on information to the private sector to help implement a reasonable cloud computing solution. Though NIST provides guidelines to the U.S. Government, the private sector can learn, too. Recently, NIST has stressed that the three major challenge areas for adoption of cloud computing are security, portability and interoperability.
In June, NIST released draft Special Publication (SP 500-299) as part of its ongoing obligation to develop technical and security standards for federal agencies as they adopt cloud computing solutions. This draft has been undergoing further comment and review. While these standards will establish protocol for procurement of cloud services by the federal government, they are likely to impact the use of cloud services and contractual terms in the private sector.
Cloud computing — the big picture
Companies adopting cloud solutions may struggle with setting a framework for their analysis of how to adopt a cloud solution. Exactly what is the cloud? According to the NIST definition:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released. This cloud model is composed of five essential characteristics, three service models and four deployment models.
—National Institute of Standards and Technology (NIST),
U.S. Department of Commerce, September 2011
Though the above definition has been widely accepted, NIST also reminds us that cloud computing is an evolving paradigm. Currently, the five characteristics are: On-demand self-service; Broad network access; Resource pooling; Rapid elasticity; and Measured service. The three service models are: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). The four deployment models are: Private cloud; Community cloud; Public cloud; and Hybrid cloud. Any move to the cloud should consider which service model and which deployment model is best suited to the company’s needs, and this depends on the risk assessment.
Assessing risk
The risk assessment should, at a minimum, consider the type of data that may be moved. Does it include personally identifiable information (such as unencrypted data including first name or initial and last name, in combination with one or more identifiers such as social security number, driver’s license number, credit card or debit card number, a financial account number with PINS, passwords or other access codes that would enable access to the account), protected health information, sensitive business information or trade secrets?
Outsourcing an accounting function is risking less than outsourcing your product development applications that contain intellectual property valuable to your company and that give you a competitive edge, or databases that contain personally identifiable information. Further, consider what requirements apply to the data, such as data retention requirements and compliance with the laws regarding data. Whatever you are required to do, your cloud provider should be required to do. .
Don’t lose sight of legal obligations
As a follow-up to the risk assessment, companies investigating a move to the cloud should develop business models that address not only what data is moving to the cloud, but how secure the system is, and how to get the data back. These issues are just as important as the issue of cost reduction.
There is no one-size-fits-all cloud solution. Moving to the cloud can be complicated and risky when companies start storing corporate, employee, or customer data in the cloud. Companies need to pay close attention to security, data retention, data portability, service interoperability and compliance with data security laws and regulations. Further, moving to the cloud in no way relinquishes you from your obligation to know where your data is and to comply with regulations concerning data and breach incidents involving that data. Any contract with a cloud services provider should address data management policies and procedures as well as areas of responsibility in accessing, collecting, exporting, preparing and delivering data.