Cloud computing seems simple in concept, and indeed, simplicity of operation, deployment and licensing are its most appealing assets. But when it comes to questions of compliance, once you scratch the surface you'll find more questions than you asked in the first place, and more to think about than ever before.
Compliance covers a lot of ground, from government regulations such as Sarbanes-Oxley and the European Union Data Protection Act, to industry regulations such as PCI DSS for payment cards and HIPAA for health data. You may have internal controls in place, but moving to a public-cloud infrastructure platform, a cloud-based application suite or something in between will mean giving up some controls to the cloud vendor.
That's a position many auditors -- and CIOs and CEOs -- find themselves in today. They want to know how to leap into cloud computing in a way that preserves their good standing in regulatory compliance. Here are four tips for keeping tabs on compliance in the cloud, from analysts, vendors and consultants.
1. Be aware of new challenges the cloud may add to your IT workload.
When you evaluate cloud vendors, start by looking for sound practices and strategies for user identity and access management, data protection and incident response. These are baseline compliance requirements. Then, as you map specific compliance requirements to your prospective cloud vendor's controls, you'll likely face some cloud-specific challenges.
Data location is one. The EU Data Protection Act, for example, strives to keep personal information within the European Union. To comply, your cloud vendor should keep your European customer data on servers located in Europe.
Multi-tenancy and de-provisioning also pose challenges. Public cloud providers use multi-tenancy to optimize server workloads and keep costs down. But multi-tenancy means you're sharing server space with other businesses, so you should know what safeguards your cloud provider has in place to prevent any compromise. Depending on how critical your data is, you may also want to use encryption. HIPAA, for example, requires that all user data, both moving and at rest, be encrypted.
User de-provisioning is an issue that will become more challenging as password-authentication methods grow in complexity and volume. Federated identity management schemes will make it easier for users to log on to multiple clouds, and that will make de-provisioning much trickier.
"When an employee leaves the company, what you'd like is to push a button and that person gets de-provisioned from their Windows account and any internal enterprise applications, their mobile phone gets wiped of corporate information, and they're blocked from the company's SaaS applications, " says Tom Kemp, CEO of Centrify, a provider of identity management and compliance tools. Today, automated de-provisioning can't span both cloud and on-premise systems, he says.
2. Track the fast-changing standards landscape.
Like it or not, you're an early adopter. Your decisions about what applications to move to the cloud and when to move them will benefit from an understanding of new and/or modified standards that are now evolving for cloud computing.
Today you can look for SAS 70 Type II and ISO 27001 certifications for general compliance with controls for financial and information security typically required by government and industry regulations, but these don't guarantee that your company's processes will comply.
"Standards like ISO 27001 and SAS 70 are helpful but they're point-in-time," says Jonathan Penn, VP and principle analyst for Forrester Research. "And they aren't very specific when it comes to data security, identity management, administrator controls - things like that. What we need is more visibility to the users about what's going on. Right now it's basically a big black box."
Bringing visibility to users is a major goal of the Cloud Security Alliance, a three-year-old organization fast gaining popularity among users, auditors and service providers. A major goal of the CSA is development of standardized auditing frameworks to facilitate communication between users and cloud vendors.
Well underway, for example, is a governance, risk and compliance (GRC) standards suite, or stack, with four main elements: the Cloud Trust Protocol, Cloud Audit, Consensus Assessments Initiative and the Cloud Controls Matrix. The Cloud Controls Matrix includes a spreadsheet that maps basic requirements for major standards to their IT control areas, such as "Human Resources - Employment Termination," while the Consensus Assessments Initiative offers a detailed questionnaire that maps those control areas to specific questions that users and auditors can ask cloud vendors.
Efforts of the CSA and other alliances, plus those of industry groups and government agencies, are bound to produce a wealth of standards in the next several years. The CSA has formal alliances with ISO, ITU and NIST, so that its developments can be used by those groups as contributions to standards they're working on. And a 2010 Forrester Research report counted 48 industry groups working on security-related standards in late 2010.
3. Take care with the SLA.
Regardless of your company's size or status, don't assume your cloud vendor's standard terms and conditions will fit your requirements. Start your due diligence by examining the vendor's contract.
That's the advice of Michael Larner, an attorney with Hogan Lovells, an international law firm with experience in cloud compliance and security issues. Larner, who often helps clients negotiate service level agreements, says to start with your own risk-benefit analysis to see if the vendor's standard contract is sufficient for your compliance needs. If not, determine what you need to negotiate to increase your comfort level.
Your company's size can give you leverage to negotiate, but a smaller business can find leverage, too, if it represents a new industry for a cloud vendor that wants to expand its market. In any case, don't be afraid to negotiate.
"With too many companies there's an assumption if you're dealing with a large vendor that the vendor won't negotiate. In fact, you might find that the vendor is willing to make some exceptions to raise your comfort level," Larner says.
If you're new to the cloud, you may find that starting out on a pilot basis, or with non-critical data, is a good way to build confidence, he says.
But due diligence doesn't end with a comprehensive SLA. Nirav Mehta, RSA's director of corporate strategy for cloud computing, says you've still got to watch the vendor closely. "You may have a good SLA, but if the vendor's cloud goes down, what happens to business continuity?" Mehta sees a day when the best strategy might be to use multiple clouds for backup assurance.
4. Make security a priority.
To best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity, says Forrester's Penn.
"That way, security and compliance issues are brought up in the right context," he says. "It's important that business executives understand the security issues and can weigh the levels of risk against the budget they'll provide to mitigate some of those risks."
Moving to the cloud may offer an opportunity to align security with corporate goals in a more permanent way by formalizing the risk-assessment function in a security committee. The committee can help assess risk and make budget proposals to fit your business strategy.
You should also pay attention to the security innovations coming from the numerous security services and vendor partnerships now growing up around the cloud. Dome9, an Amazon partner, solves a cloud-specific technical problem -- closing secure-shell (SSH) and other ports of your cloud-based servers when they're not in use, so an attacker who's already gained access to the cloud can't get in.
"In the enterprise, these tend to stay open by default," says Dave Meizlik, marketing VP for Dome9. "But in the cloud, you'd want them closed when you're not working, and you can't rely on calling the cloud provider every time you get off your server."
Cloud computing may pose some risks, but they'll likely diminish as security innovations catch up. Even today, according to Forrester's Penn, "The security issues with cloud services don't worry most enterprise security teams as much as other IT trends, such as smartphone or social media proliferation. Ultimately, the security issue will be a speed bump, not a show-stopper, for cloud adoption."
Jim Buchanan is a technology writer in Millis, MA. Contact him at firstname.lastname@example.org.