NIST just hosted Cloud Computing Workshop and Forum VIII at their headquarters in Gaithersburg, MD. It is part of the larger NIST ITL Cloud Computing Program. It was an impressive event, with four days of multiple simultaneous tracks. As security professionals, we all know it’s hard to juggle and stay abreast of all the topics and updates – new threats, new guidance, etc., and I’ll be frank, I had turned my attention away from cloud computing and cloud security for a large portion of the last year to work on other things. I’ll admit I was really surprised at how much the breadth, depth, and maturity of this field has grown in that time. As a federally focused practitioner, and given the location, I was expecting to show up and hear about FedRAMP and cloud security controls. Though they did cover those topics, it was a small portion of the event overall.
The list of presenters was diverse: academia, NIST and many other federal employees, implementers, consultants, and vendors (including RSA - our CTO, Zulfikar Ramzan gave one of the keynotes). They covered a hue range of topics, so I’ll just mention a few takeaways from the event I’d share:
Maturing library of standards. Just as the first wave of real cloud guidance (dating back to roughly 2011) is being adopted, there are so many new cloud computing guidelines and standards and updates either just coming out or in draft at the moment. As you’d expect, NIST and ISO, like with other IT and security standards and guidance, are at the forefront, but add to that Cloud Security Alliance, the Open Group, IEEE, and others, you get the scope of players and each of them introducing new standards and considerations.
New challenges, new taxonomy. There was a significant amount of time given to discussing the developing taxonomy for dealing with new challenges presented by cloud computing. Don’t feel bad, however, if you can’t articulate the difference between a cloud broker, cloud service manager, cloud provider, and cloud carrier – I couldn’t either, but NIST SP 500-292 started this conversation years ago and ISO is augmenting it with standards currently in development like ISO 19944. To effectively manage new cloud paradigms we need new ways to describe new data types, new architecture, and new customer scenarios.
Collaborative effort, diversified risk. I think I heard the acronym “SLA” almost as many times during the event as I did the word “cloud”. There was a lot of emphasis on business to business implications, specifically SLAs, because of the transference and ownership of risk across the lines of multiple organizations. SLAs in the past were viewed as just an annoying bit of paperwork, or an item to have for an audit checklist, but the number of players and moving parts in a cloud environment are going to make closer friends of your IT staff, legal staff, and acquisition office going forward. SLAs are critical to managing cloud computing risk and the number of teams and organizations involved can create a “cascading SLA” effect to make things even more challenging. ISO has several standards under development for this area (ISO 19086-1, 2, and 3).
There were many other one-off questions and topics like cloud forensics, deleting data in the cloud, privacy vs. security, etc., too many, in fact, to cover here - but for the curious: a link to the slides and presentation from the event. Wrapping up, the message I got from this event and from the industry, is that processes and security are mature enough that real adoption of the cloud is underway. We are finally past the phase where everyone is dipping their toe in but waiting for someone else to take the first plunge.
Thanks for reading and email me with comments or questions.
