One major concern with the adoption of cloud computing is the lack of a defined standard or standards that are specific to operations impacting security, interoperability & mobility within the Cloud ecosystem.

As most managers of security departments will attest to, there is a fine line between security and operations. While we as business managers want to ensure that we maximize the ROI on our operational investments and ensure that availability is paramount  for our users, we do not want to do so at the expense of our security measures, policies and protocols.

On the other hand we do not want to lock down a system providing maximum security, but to such an extent that there is a degradation in availability - thus negatively impacting operations and our revenue stream by extension.

In the traditional IT Security/Operational world we balance tools and metrics from ITIL and ISO 27001 with that of ISO 27002, COBIT and TOGAF for instance.These to integrate with requirements from FISMA, HIPAA,SOX 404, SAS 70 -2, GLBA etc; but what happens in the cloud ecosystem when we are placing assets in care of a provider who may have systems distributed internationally?  How does all of this fit into the management of risk, governance and compliance of a multinationally distributed system?

IT Scientists at NIST in an attempt to address this gap impacting standards and levels of uncertainty that follows the adoption of related new technologies, proposed SAJAAC.

SAJAAC aims is to initiate the process of hammering out a standard that focuses on "strategy, process and protocol" while reduce the uncertainty which is following the lack of standards within the cloud arena.

NIST in its focus on cloud adoption, believes that" by validating key cloud specifications & sharing information," enterprises can "build confidence in cloud computing technology in the interim before formalized standards are available."

SAJAAC is represented by Scientists at NIST as follows:

Source - Overview: NIST Cloud Computing Effort presented by Dawn Leaf : May 20^th 2010.

As shown in the schematic, there is a NIST hosted portal which is publicly accessible; its aim is to catalyze verifiable information as it is exchanged. Then there is an area of specifications and use cases with ongoing contributions from cloud computing stakeholders based within the areas of industry, academia, and government.

These use cases will be published on the portal and available publicly after a period of vetting and improvements;they will focus on interpreting "requirements in the form of behavioral scenarios which describe the interaction between people and computer systems."

The purpose of these scenarios is to ensure that aspects of portability, interoperability, and security are met for cloud computing end users.

SAJAAC's implementation will act as a key provider of data which will be included in a special publication on cloud computing that scientists at NIST are currently working on.

The advantage of this model, is it's openness to input and collaboration from industry and other relevant avenues, its ongoing parameters and its objectivity.

In closing one question still needs to be addressed which is; Will an addendum to 18 USC 1030 or the UK computer misuse act be crafted to prosecute a cracker who infiltrates our assets held in a cloud located in an area that may fall outside the FBI's jurisdiction or warrant no cooperation from a foreign government?

References

1.NIST Cloud Computing

http://csrc.nist.gov/groups/SNS/cloud-computing/

2.State Of Public Sector Cloud Computing

http://www.cio.gov/documents/StateOfPublicSectorCloudComputing.pdf

3.Overview: NIST Cloud Computing Effort presented by Dawn Leaf : May 20^th 2010.

• Vivek Kundra - State of Public Sector Cloud Computing
• Introducing Cloud Computing: A Gentle Overview
• IEEE to Participate in White House Led Cloud Computing Strategy Discussion
• Seemingly Slow Adoption of Cloud