A: My last FAQ introduced the U.S. government's recent SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing." The document is ostensibly intended to provide guidance to government entities interested in outsourcing data and applications to cloud providers, but its contents can be handy for private sector IT organizations looking for formalized assistance.
Chapter 5 contains one particularly useful section for private sector IT. Table 2 in this chapter outlines three common sets of activities related to cloud computing and precautions for each. It's a good idea to keep these in mind as you consider moving to (or out of) the cloud:
Identify security, privacy, and other organizational requirements for cloud services to meet as criteria for selecting a cloud provider.
Perform a risk assessment, analyzing the security and privacy controls of a cloud provider's environment with respect to the control objectives of the organization.
Evaluate the cloud provider's ability and commitment to deliver cloud services over the target timeframe and meet the security and privacy levels stipulated.
Initiating and Coincident Activities
Ensure that all contractual requirements are explicitly recorded in the SLA, including privacy and security provisions, and that they're endorsed by the cloud provider.
Involve a legal advisor in the negotiation and review of the terms of service of the SLA.
Continually assess the performance of the cloud provider and ensure all contract obligations are being met.
Alert the cloud provider about any contractual requirements that must be observed upon termination.
Revoke all physical and electronic access rights assigned to the cloud provider and recover physical tokens and badges in a timely manner.
Ensure that resources made available to the cloud provider under the SLA are returned in a usable form, and confirm evidence that information has been properly expunged.