NIST SP800-145, Draft Difinition of Cloud Computing and SP800-144, Draft Guidelines on Security and Privacy in Public Cloud Computing

　こんにちは、丸山満彦です。NISTのクラウド関係の報告書（ドラフト）関係です。。。

SP800-145, Draft Difinition of Cloud Computing
SP800-144, Draft Guidelines on Security and Privacy in Public Cloud Computing

です。。。
SP800-145は定義を変更するという話です。。。ちょっとだけ変わっているようです。。。

コメント期間は2月28日までです。。。

　
■NIST
●SP800
・2011.01.28 SP800-145, Draft Difinition of Cloud Computing

NIST SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
NIST SP 800-145 restates the existing NIST cloud computing definition as a formal NIST publication

　・・PDF

＝＝＝＝＝
Essential Characteristics:
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g.,mobile phones, laptops, and PDAs).

Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically
assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases
automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
＝＝＝＝＝

・2011.01.28 SP800-144, Draft Guidelines on Security and Privacy in Public Cloud Computing

NIST SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
NIST SP 800-145 restates the existing NIST cloud computing definition as a formal NIST publication.

　・・PDF
＝＝＝＝＝
Executive Summary
1. Introduction
　1.1 Authority
　1.2 Purpose and Scope
　1.3 Audience
　1.4 Document Structure
2. Background
3. Public Cloud Services
　3.1 Service Agreements
　3.2 The Security Upside
　3.3 The Security Downside
4. Key Security and Privacy Issues
　4.1 Governance
　4.2 Compliance
　4.3 Trust
　4.4 Architecture
　4.5 Identity and Access Management
　4.6 Software Isolation
　4.7 Data Protection
　4.8 Availability
　4.9 Incident Response
　4.10 Summary of Recommendations
5. Public Cloud Outsourcing
　5.1 General Concerns
　5.2 Preliminary Activities
　5.3 Initiating and Coincident Activities
　5.4 Concluding Activities
　5.5 Summary of Recommendations
6. Conclusion
7. References
Appendix A—Acronyms
Appendix B—Online Resources
＝＝＝＝＝