The National Institute for Standards and Technology (NIST) this week published some additional guidelines for cloud computing security this week that would appear to put the onus for security in the cloud clearly on the end user.
The NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing does a good job of framing cloud security issues. But it seems to conclude that because cloud computing services are like any other IT resource, it’s incumbent upon the organization using them to make sure they are secure.
On a theoretical level, that’s true. In practice, however, most users of cloud computing services don’t have any control over the internal IT infrastructure being managed by the cloud service provider. That means, for example, the end user really has no way of making sure the virtual machine environment is secure, or the cloud provider has put the proper controls in place to make sure a customer’s service has not been compromised by an insider threat.
On a practical level this latest NIST guidance on security is a little naive. If anything, one of the primary characteristics IT organizations should be evaluating cloud service providers on is the degree to which they can protect their security interests. In many instances, that’s going to mean going with a higher-cost provider that has taken the time and money required to secure its environment. And under no circumstances should IT organizations interpret the NIST guidelines as absolving cloud service providers of any security responsibility.
Modern best practices for IT security today rely on defense in depth strategies to protect multiple layers of computing. Cloud computing services are simply one more layer of computing that needs to be protected. But that’s not going to happen unless all the parties involved are working cooperatively together to make it does. It’s up to the IT organizations to make sure the cloud service provider has put the proper levels of control in place to secure the environment. But that doesn’t absolve the cloud service provider of the responsibility for making sure those controls are in place.