NIST scientific or technical Public Working Groups bring together organizations actively engaged in the specific field of interest and consist of subject-matter experts who collaborate to determine best practices and to develop consensus standards. During the past decade, NIST has convened multi-disciplinary cloud computing working groups to take on specific challenges that impact the broad US Government adoption of complex cloud-based solutions that combine services from more than one cloud service provider (CSP). The change in technical operations and control dynamics for such solutions (both in terms of ownership, management, and trust) with respect to IT resources, poses new security challenges.
The NIST Multi-cloud Security Public Working Group (MCSPWG) is a subsidiary of the NIST Cloud Security public working group and will focus the research on particular cloud computing architectures referred to as multi-cloud solutions, that connect services from more than one cloud service providers. The work will aim to:
The NIST Special Publication (SP) 800-145, published in 2011 describes the five essential characteristics of the cloud systems, three service models (IaaS, PaaS, and SaaS), and four deployment models (public, private, community, and hybrid), which cannot sufficiently describe the complex cloud architectures being implemented nowadays.
Encouraged by the Cloud Smart Federal Computing Strategy to accelerate cloud adoption and modernize their IT infrastructures, federal agencies leverage cloud technology scalability and speed-to-market by expanding and diversifying their cloud portfolio to incorporate multi-party (multi-providers) cloud solutions. In adopting these multi-party cloud solutions, which can include services provided by multiple cloud service providers often with support from third-party entities, organizations are faced with added security and privacy implementation challenges.
NIST calls on all its collaborators to join the Multi-Cloud Security Public Working Group (MCSPWG) to document the challenges, and research mitigations and best practices for secure deployment of multi-cloud service solutions.
The purpose of the Multi-Cloud Security Public Working Group (MCSPWG) is to provide a forum in which participants from the public, including private industry, the public sector, academia, and civil society discuss the security and privacy risks and research guidance and best practices of implementing and using multi-cloud services. This MCSPWG Charter (“Charter”) outlines the purposes, organizational structure, administrative details, and the roles and responsibilities related to this working group.
The MCSPWG is a NIST Public Working group. As such, formal recommendations from the MCSPWG will not be provided to the federal government.
The MCSPWG meetings are currently scheduled to occur bi-weekly. NIST reserves the right to change the frequency of the meetings to adjust to the project's needs. Additionally, the frequency can be adjusted by an agreement among MCSPWG's members.
If NIST deems it necessary, the Charter may be amended at any time without prior notice and the working group membership will be notified of the changes.
The MCSPWG Co-Chairs are responsible for the following:
The MCSPWG Team Leads are responsible for the following:
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in the MCSPWG a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
Examples of behavior that contributes to creating a positive environment include:
Examples of unacceptable behavior by participants include:
Co-Chairs are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at mcsec@nist.gov. The Co-Chairs will review and investigate all complaints and will respond in a way that it deems appropriate to the circumstances. The Co-Chairs are obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
MCSPWG leadership (co-chairs and team leads) who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by NIST.
This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at http://contributor-covenant.org/version/1/4
Security and Privacy: access authorization, access control, authentication, general security & privacy, privacy engineering, risk assessment, system authorization, systems security engineering, threats
Technologies: cloud & virtualization