NIST: Cloud reliability, information security remain 'open issues'


A new publication from the National Institute of Standards and Technology summarizes major classes of cloud computing technology and their benefits, but also notes 23 "open issues" regarding the cloud computing technology overall.

Some of the issues highlighted in NIST Special Publication 800-146 (.pdf) "are traditional distributed computing topics that have remained open for decades" but have become more relevant since the emergence of cloud computing. "Other issues appear to be unique to cloud computing," says the document.

The open issues fall into five categories: computing performance, cloud reliability, economic goals, compliance and information security.

Among the computing performance issues cited by NIST is off-line data synchronization. When users lack network connectivity, documents and data won't synch with versions housed in the cloud--meaning version control and group collaboration become critical.

"For the cloud, reliability is broadly a function of the reliability of four individual components: (1) the hardware and software facilities offered by providers, (2) the provider's personnel, (3) connectivity to the subscribed services and (4) the consumer's personnel," says NIST. A problem in any one of those areas can have repercussions, note authors.

The economic goals of agencies entering into cloud agreements also require a number of considerations. The publication suggests further action is needed to standardize cloud service agreements. A service agreement template, "in a machine-readable format using common ontologies," could allow agreements to be partially reviewed mechanically, "thus reducing costs to consumers and increasing understanding into actual cloud service offerings," suggest report authors.

There are several information security issues that remain open with the cloud, but the sharing of resources is a top concern.

"For [infrastructure as a service] clouds, different VMs may share hardware via a hypervisor; for [platform as a service], different processes may share an operating system and supporting data and networking services; for [software as a service], different consumers may share the same application or database," says the publication.

All this sharing introduces the potential for flaws in logical separation, says NIST.

"For clouds that perform computations, mitigation can occur by limiting the kinds of data that are processed in the cloud or by contracting with providers for specialized isolation mechanisms such as the rental of entire computer systems rather than VMs (mono-tenancy), Virtual Private Networks (VPNs), segmented networks, or advanced access controls," says the publication.

Browser security is another concern with cloud technology. Authors note that many cloud applications use the end-user's browser as the graphical interface. But browsers often have security flaws.

"Whenever browsers are the access points to a cloud, building confidence that browsers have not been subverted is important," says NIST.

For more:
- download NIST Special Publication 800-146 (.pdf)

Related Articles:
FedRAMP JAB to name third party assessment organizations by May
Audio: Federal officials discuss progress on FedRAMP
McClure: Cloud services require acquisition officers to retool