Compliance Under a Cloud
- 25 February, 2010 11:33
- Comments
There's no doubt that cloud computing is dominating today's IT conversation among C-level security executives. Whether they're lured by its compelling cost savings or its perceived advantages, security leaders are probing the capabilities and restrictions of the cloud. At the same time, security and compliance concerns remain issues holding large enterprises back from capitalizing on the cloud's benefits.
Some of the most frequently asked questions include: Is using cloud computing services advisable for applications and data subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?
Not surprisingly, any answer to these questions has to start with, It depends. Coming to a meaningful conclusion requires context. Is the cloud service public or private? The company's specific compliance requirements are also key to understanding whether compliance can be achieved.
Blanket statements regarding compliance and the cloud aren't possible because vendors can create different types of cloud services and infrastructures for single enterprises or groups. A recent National Institute of Standards and Technology (NIST) paper recognizes three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). NIST further describes four different deployment models: private cloud, community cloud (shared among several organizations), public cloud and hybrid cloud (part private, part public or community).
The different service and deployment models allow varying degrees of customer control and place different security and compliance obligations on both customers and service providers. In private clouds, for example, the organization building them is free to apply whatever set of controls it sees fit. In public, community or hybrid clouds, the customer organization does not typically have this degree of control. Furthermore, the flexibility afforded the user for an IaaS service will generally be a lot higher as compared to a SaaS service. And with that higher degree of flexibility comes a higher degree of responsibility for security and compliance for the user.
While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and meet compliance obligations varies widely. For private clouds, it's fairly straightforward to build controls into the cloud that enable compliance. For public cloud services, however, becoming compliant is a more challenging endeavor.
Another significant consideration is the specific set of laws that affect an organization. Some of the key compliance regulations, including HIPAA and the Gramm-Leach-Bliley Act, require careful analysis of the specific requirements, along with a solid understanding of the security controls put in place by the cloud service provider. And many public cloud service providers are not very transparent in providing information to their customers describing the specific security controls deployed.
Organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations and the set of controls provided by the cloud service provider. It is also worth noting that satisfying many compliance requirements will require assessing the control state for the cloud service at periodic intervals. For example, even performing vulnerability scans on public cloud services may be an issue, as some cloud services contracts limit the customer's ability to do this.
Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you're considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on "right to audit" clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now-caveat emptor!
Jim Hietala is vice president of security for The Open Group. He is coleading development of compliance and audit content for the forthcoming Cloud Security Alliance Guidance Version 2.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Monday Grok: Will Siri crack the walls of GOOG?
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Phones are distractions during catch-ups
-
Google's Sidewiki lets people post comments about Web pages
-
Botnets: The dark side of cloud computing
Botnets pose a serious threat to your network, your business, your partners and customers. Botnets rival the power of today’s most powerful cloud computing platforms. These “dark” clouds, controlled by cybercriminals, are designed to silently infect your network. Left undetected, botnets borrow your network to serve malicious business interests. This paper details how you can protect against the risk of botnet infection using security gateways that offer comprehensive unified threat management (UTM). -
The Top 5 Server Monitoring Battles—and How You Can Win Them
The role of servers in your organization has changed substantially—with their uses, requirements, and complexity all increasing dramatically in recent years. Many of the traditional tools and techniques that worked in the past don’t suffice any more. Consequently, server monitoring presents several critical battles in today’s demanding environments. This guide looks at some of the most pressing challenges administrators face in ensuring optimal server performance, and it offers insights into the tools and strategies required to address these demands. -
Traditional Backup is Dead - Are you prepared?
Conventional backup and recovery approaches clearly can't keep up with ever-growing storage rates. It's time to take on a new strategy.
-
Photoshop for Right-brainers, 3rd Edition
-
Garbage Collection Algorithms for Automatic Dynamic Memory Management
-
Building Facebook Applications for Dummies
-
Flash 8 Savvy (Includes CD-ROM)
-
Dreamweaver MX 2004 Bible
-
Enhancing CAD Drawings with Photoshop (Includes Cd-rom, and a Foreword By George Omura)
-
Professional Sharepoint 2007 Web Content Management Development
-
Microsoft Visual J# Compiler CD
-
Red Hat Fedora and Enterprise Linux 4 Bible (Includs 1 DVD & 2 CD-ROMs)
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment