While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The National Institute of Standards and Technology is responsible for guiding the adoption of cloud computing throughout the federal government.
NIST researchers wrote the widely recognized definition of cloud computing and in 2014 published the first volume of the U.S. Government Cloud Computing Technology Roadmap, “High-Priority Requirements to Further USG Agency Cloud Computing Adoption.”
For those involved in choosing cloud services, we offer the following tips to help find the cloud-based tools and resources that will best fit your agency’s or department’s needs.
Compare any cloud service with NIST’s definition, which spells out five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity or agility, and measured service.
The government also requires security, interoperability and portability protocols to be in place before an agency or department can move forward with the adoption of cloud-based services (check out the recently published Cloud Computing Roadmap to learn more).
Remember that people play crucial roles in successful cloud adoption. Customers must develop the business and technical requirements. Procurement officials prepare the contract language and work with vendors to ensure that the proper enforcement mechanisms are in place. The IT security team should be involved too.
A common language and set of definitions for use by all participants is an absolute necessity. The language agreed upon in procurement is the ultimate arbiter for contract enforcement and deliverables — outlined in the 2011 “NIST Cloud Computing Reference Architecture.”
Obtain accurate comparisons of the services vendors provide. Any description of services requires verification. For instance, vendors may say that their cloud availability is 99.9 percent, but that could mean availability from 9 to 5 in your time zone, in the vendor’s time zone, or with the exception of downtime.
Service-level agreements inform the customer how much of a particular cloud service attribute will be delivered under the contract. Both the customer and vendor are responsible for producing a clear SLA. That requires use of the common language described in the cloud roadmap and attention to the most relevant services.
A critical but often ignored part of procuring cloud services is discussion of how a customer will receive data back from the provider when a contract ends. The provider may not be able to return data in its original form or in any usable way. Have this discussion before any agreement is reached.