In the current economic climate, many of today's organizations are facing aggressive cost-cutting and efficiency pressures that are driving businesses to consider cloud sourcing. While many properties of cloud services,
One reason behind this clash stems from the implication that the "cloud" is omnipresent and accessible anywhere. But, take note, although a cloud service may be accessible anywhere, it is far from omnipresent. In fact, Forrester Research Inc. recently discovered that many Infrastructure as a Service (IaaS) clouds use a traditional IT outsourcing model: They provision services from specific data centers from specific geographic regions. Although there are true global clouds (like Google), in the Software as a Service (SaaS) segment, many vendors use what are ultimately local clouds to deliver global services.
So why does a cloud service's point of origin matter? There are several reasons, the first of which is that regulations can affect cloud operations so users of a localized cloud may find their goals at odds with the local laws and regulations that govern the cloud operation. Additionally, true geographic diversity and high availability only comes with global clouds. This means if the cloud operation is restricted to a single location or a small set of locations, the benefit of geographic diversity doesn't apply, and in the final analysis, neither does high availability.
Most importantly, location matters; if you don't know where your cloud provider's data center is, or where your data is, you have no means to evaluate whether your data would be subject to any local laws and regulations that may be in conflict with your data privacy compliance goals. With the exception of the new HITECH Act for HIPAA, few laws and regulations in the U.S. have specifically included the role of a service provider. This means that if found in violation of the compliance goal, it's not the service provider that will end up in court. If you don't know where your data resides, it's time to find out.
The economics of the cloud dictate that data and applications are decoupled from infrastructure operations. It's this very notion that engenders tremendous operational and business efficiency while putting security and compliance at odds with these goals. Instead of waiting for the cloud industry to step up its support for regulatory compliance, security professionals need to look beyond their providers for compensating controls to aid cloud sourcing. Here are a few compensating controls to consider:
- Cleanse or anonymize private data whenever you can: Not all data needs to live in the
cloud in its clear text form. Cleansing or anonymizing private data may be the cheapest way of
attaining privacy control; therefore always consider this option first.
- Use cloud-independent encryption: As in the case of implementing HIPAA with IaaS,
encryption technologies can be used to protect data and applications outside the cloud. Emerging
technologies that provide in-the-cloud encryption of either virtual machines or data, with
customers holding the key, have tremendous promise for enhanced data protection in the cloud.
- Pay more for higher confidence: If a provider doesn't currently offer a specific control
that's essential to achieving compliance, work with that provider to gauge the possibility of
attaining that control. Sometimes all it takes is a higher service price. Point out that it can
potentially generate additional revenues from other clients and gain competitive benefits from
implementing the additional control.
- Use a hosted private cloud: A hosted private cloud is a dedicated cloud infrastructure; in other words, a utility pricing model, accessible via standard Internet protocols, and with automated workload distribution that is hosted by a third party. Because the infrastructure is dedicated to your organization, you have the option to impose stringent security and privacy policies, even having the infrastructure certified by auditors for compliance purposes. The hosted private cloud requires a heftier upfront investment than a public cloud, but lower ongoing operational overhead and better control than a private cloud.
Whatever the control may be, it is ultimately the security professional's responsibility to attain cloud compliance. In the long term, compliance support and effectiveness will become differentiators in the cloud service industry and will likely help further drive adoption. Why? Because cloud services can spread out the cost of compliance support over multiple clients while running more efficient processes that make the additional investment worthwhile.
About the author:
Chenxi Wang is a principal analyst at Forrester Research, where she serves security & risk professionals. She is a leading expert on content security, application security and vulnerability management.
This was first published in November 2010