September 15, 2010 at 2:47 pm #110867
Title:Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies
This document is intended as guidance for federal system owners considering cloud computing capabilities as an alternative to traditional server-client system models. Any federal agency officials considering embracing cloud computing capabilities should review these guidelines to familiarize themselves with the advantages, opportunities, risks and challenges in the current federal cloud computing environment.Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies
The ability to embrace cloud computing capabilities for federal departments and agencies brings advantages and opportunities for increased efficiencies, cost savings, and green computing technologies. However, cloud computing also brings increased risks and challenges to securely use cloud computing capabilities as good stewards of government data. This document presents a set of guidelines and recommendations for using cloud computing technologies in a manner that minimizes risk.
Cloud computing is not a single capability, but a collection of essential characteristics that are manifested through various types of technology deployment and service models. A wide range of technologies fall under the title “cloud computing”, and the complexity of their various implementations may result in confusion among program managers. These guidelines embrace a subset of the NIST definition of cloud computing, with three service models (SaaS, PaaS, and IaaS) and two delivery models (Public and government dedicated Private Clouds).
The decision to embrace cloud computing technology is a risk-based decision, not a technology-based decision. The goal of this document is to help federal program managers create a strong, secure business case for embracing the appropriate type of cloud computing capability commiserate with their level of acceptable risk. The decision to embrace cloud computing is a business decision, and comes from a risk management process made by the management team with inputs from all players, including the CIO, CISO, Office of General Counsel(OGC), privacy official and the program owner.
You must be logged in to reply to this topic.