美国政府发布关于云计算安全评估和授权的政策建议书
2010年11月2日,美国政府CIO委员会发布由CIO Vivek Kundra 签署的关于政府机构采用云计算的政府文件,文件阐述了美国政府对于云计算服务的基本立场和政策,分析了为什么需要考虑评估云计算、采用云计算带来了什么挑战、接下来政府、各机构、私营企业、业界等需要采用哪些行动等,并针对云计算的安全防护,以NIST和FISMA的相关安全标准和控制为基础,发布了征求意见稿。
文件首先指出采用云计算对于美国政府来说是风险也是机遇,机遇体现在更高的IT效率,成本方面的节省以及绿色计算等带来的环境保护。但是,要不要采用云计算不是一个基于技术的决定,而是基于风险的决定。因而需要政府、各机构谨慎评估云计算相关的安全风险,并与自己的安全需求进行比对分析。
Cloud Computing systems are hosted on large, multi-tenant infrastructures. This shared infrastructure provides the same boundaries and security protocols for each customer. In such an environment, completing the security assessment and authorization process separately by each customer is redundant. Instead, a government-wide risk and authorization program would enable providers and the program office to complete the security assessment and authorization process once and share the results with customer agencies.
文件建议由一个政府授权机构对云计算服务商进行统一的风险评估和授权认定,从而加速云计算的评估和采用,降低风险评估的费用。
个人以为,文件令人印象深刻的是开放性和坦诚,强调了这个评估和授权过程的透明,以及广泛参与的重要性。
The attached document is a product of 18 months of collaboration with State and Local Governments, Private Sector, NGO’s and Academia. This marks an early step toward our goal of deploying secure cloud computing services to improve performance and lower the cost of government operations, but we need to improve this document through your input.
该文件可以在此下载。
若干个“新闻”网站直接剪贴拷贝了这个新闻,没有任何链接声明,也没有和我联系。这里面包括tech.hexun.com, microvoip.com, d1com.com, cnsoftnews.com等等,简单google搜索就可以发现。再次鄙视这样的“网编”。
Totally I agree. That reflects the maturity of the government/organization operation. In the long run, it helps build the credit and advocacy from the community and industry.
this pdf looks nice.
It seems the ‘continous monitor’ appears everywhere in US’s documents, such as this, such as einstein.