NIST Issues Guidance on Cloud Computing Privacy and Security Requirements for Federal Agencies

On February 2, 2011, as part of its broader effort to encourage cloud computing for federal agencies, NIST announced a new cloud computing Wiki to enable industry-NIST collaboration and published three significant cloud computing documents. The documents separately address (1) security and privacy in public cloud computing, (2) the definition of cloud computing, and (3) a guide to security for virtualization technologies. For cloud providers, the most important is NIST’s draft Guidelines on Security and Privacy in Public Cloud Computing (the "Guidelines").  

The comprehensive 60-page Guidelines focus on identifying trouble spots that arise from using cloud providers and articulating an analytical framework to address them. Four overarching themes emerge: (1) moving data to the cloud does not relieve an organization from its privacy or data security obligations; (2) cloud computing complicates security because it adds layers of technology (and thus complexity and new avenues of attack) and strips the data owner of control over its data; (3) to the extent practicable, organizations should seek the same or better security on the cloud as in-house; and (4) cloud computing therefore requires a deliberative approach by organizations and unprecedented levels of trust between them and cloud providers. 

The Guidelines emphasize terms of service as a tool to deal with privacy and security challenges. Despite recognizing that many cloud providers offer only non-negotiable terms of service (and the cost-saving benefits that go with them), the draft guidelines offer a number of recommendations about what the terms of service should contain, including:

• “A detailed description of the service environment, including facility locations and applicable security requirements”
  • disclosure of any third party arrangements or nested cloud services (where a cloud provider stores customer data on another cloud provider’s system)
  • a prompt reporting requirement of breaches involving both information held for an organization and information held about an organization
• “Policies, procedures, and standards, including vetting [of staff] and management of staff”
• “The process for assessing the cloud provider’s compliance with service level agreements, including audits and testing”
• “Specific remedies for noncompliance or harm caused by the provider”
• “Procedures, protections, and restrictions for commingling organizational data and handling sensitive data”
• That the organization retains data ownership over all its data and the cloud provider acquires “no rights or licenses . . . to use the data for its own purposes”
• The provider’s obligations on contract termination
• That the contract should not be subject to unilateral amendment by the provider

NIST also released The NIST Definition of Cloud Computing (Draft) and its final Guide to Security for Full Virtualization Technologies. In the first, NIST formally adopts its working definition of cloud computing and asks for comments on whether it should be modified. In the second, NIST catalogues security risks for full virtualization and offers recommendations to address them. Virtualization is a core enabling technology that uses a layer of software to run multiple operating systems and applications on the same hardware. This allows cloud providers to maximize server resources.  The recommendations focus on the need to secure each component, especially the hypervisor, which is the software “conductor” that runs the virtual environment. NIST recommends securing the hypervisor by, for example, continuous monitoring, restricting administrative access, and disabling unnecessary tools. 

All three documents have the potential to shape how federal agencies and private-sector companies approach cloud computing and negotiating terms of service with cloud providers.  Comments on the draft documents are due on February 28, 2011.

Joel Buckman, an associate in Hogan Lovells Privacy and Information Management practice group located in the Washington, D.C office, assisted in the preparation of this entry.

Authored by the HL Chronicle of Data Protection Team