NIST has released as final their special publication 800-144 (SP800-144). Perhaps the single biggest takeaway from the guide is that risk management has not changed fundamentally from non-cloud environments, but the devil may be in the details.
It offers the following list of benefits from the transition to public cloud.
Benefits
- Staff specialization
- Platform strength
- Resource availability
- Backup and Recovery
- Mobile endpoints
- Data Concentration
You might read that list and want to ask “yes, but what about all the Amazon outages or the high-profile breaches like Dreamhost…,” which is why they also wrote a “Security and Privacy Downside”.
Risks
- System complexity
- Shared multi-tenant environment
- Internet-facing services
- Loss of control