(PDF Link) VMWare, RSA and Intel run a Cloud Security Proof of Concept for NIST

Here’s a really interesting PDF from NIST on securing workloads in the cloud. The PDF describes a proof of concept (POC) carried out with VMware, RSA and Intel. The POC  has a focus on testing geolocation in the cloud for the purpose of constraining the physical location of a server that a workload can be moved to for security or compliance reasons.

The principles of the POC are quoted from the PDF as:

  1. Create a part of the cloud to meet the specific and varying security requirements of users.
  2. Control access to that cloud so that the right applications get deployed there.
  3. Enable audits of that portion of the cloud so that users can verify compliance.

Sharing Options

  • Twitter
  • LinkedIn
  • Google Plus
  • Facebook
  • Reddit
  • StumbleUpon
  • Delicious
  • Email

The Chartered Institute for IT and Cloud Governance

I’ve been communicating with a number of standards organisations on the status of Cloud Governance in different jurisdictions. With the portability of cloud workloads, the governance model should be handled on a global level and the standards institutions are moving quickly to set up a framework with a number of national and global bodies.

One of the most interesting pieces of work I have been sent is from the Chartered Institute for IT. The document sent to me (PDF linked here) is a response to questions raised by the European Commission for Cloud Computing in 2011.

I’ve pulled out some quotes from the document that have provided me some food for thought.

The cloud concept is straightforward and the potential cost benefits are staggering, yet progress has been hindered by the ability of society need for reassurance to embrace new business models and commercial software suppliers to operate in a truly multinational domain

In response to a question on the rights and responsibilities of both user and provider.

User confidence and awareness will improve through the demonstration of workable/scalable multi-tenancy clouds used by multiple organisations. The deployment of the eGovernment and eSciene infrastructures will provide examples of best practice, as well as help potential users and providers to identify potential obstacles when using cloud.

In response to a question on the role of eGovernment in the cloud.

… standard ratified models and agreements covering the different aspects of delivery and various levels of cover should be incorporated into the cloud strategy. These standards would mean that it would be up to the user and provider to agree which they want/need to apply to the particular service they are procuring/providing.
… standard flow down models and agreements that would enable a user to have the confidence that they are fully covered if they procure a service from a third party
… the presence of proformer (pre-agreed) data transfer and ownership agreements that stand up to EU legislation. This would help to remove one of the key barriers to cloud adoption and therefore should be included in the final version of the strategy.

In response to a question on cloud governance requirements

The Institute believes that for cloud to become a success then efforts will need to be made to encourage confidence among users. Cloud computing has long been criticised as limiting the freedom of users and making them dependent on the cloud computing provider. Users will need to be reassured that they are not going to get locked into services which are not flexible to meet changes within their business.

In response to a question on the limitations of cloud computing today

The PDF is well worth a read and I really hope to see some of the recommendations made in the document come into practice.

Sharing Options

  • Twitter
  • LinkedIn
  • Google Plus
  • Facebook
  • Reddit
  • StumbleUpon
  • Delicious
  • Email

Data Privacy Regulations in the Middle East – Saudi Arabia

This is part of a series of posts, each one focusing on a specific country in the Middle East and Africa, discussing the current state of laws and regulations around the cloud. Today we’ll be taking a look at the Kingdom of Saudi Arabia.

As with the previous post I will be analysing the available information against six “Cloud Governance Concerns”:

  1. Can I store and process personal data and are there any requirements for me to be able to do so?
  2. Can I move personal data between different jurisdictions?
  3. Do I need to comply with any requests from individuals that own the data?
  4. Do I have to comply with requests to disclose personal data from other entities?
  5. How am I liable if data loss occurs?
  6. How long do I have to keep data?

Continue reading

Sharing Options

  • Twitter
  • LinkedIn
  • Google Plus
  • Facebook
  • Reddit
  • StumbleUpon
  • Delicious
  • Email