Q&A: Forrester's Chenxi Wang discusses cloud compliance

While some organizations have been eagerly exploring the potential IT cost savings that cloud computing offers, excitement has been tempered by the compliance challenges that cloud services bring.

In this interview at the recent Forrester Research Security Forum 2010, Chenxi Wang, principal analyst with Forrester, discusses her recent research report, "Compliance with Clouds: Caveat Emptor" and the issues involved with maintaining compliance with PCI, SOX and HIPAA and using cloud-based services.

---

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

Q&A: Forrester's Chenxi Wang discusses cloud compliance

Eric Parizo: Chenxi Wang, Principal Analyst at Forrester
Research. Thank you so much for your time today.

Chenxi Wang: Thank you.

Eric Parizo: First question for you. In your recent Forrester
Research report, 'Compliance with Clouds: Caveat Emptor,'
you write, 'Leveraging the benefits of the cloud and
maintaining compliance can be at odds.'

Chenxi Wang: Right.

Eric Parizo: Is that an understatement?

Chenxi Wang: No, I think it is an accurate statement. They do not
necessarily have to be at odds, but they can be at odds with
each other.

Eric Parizo: To debunk the fight out there, is it possible for an
enterprise to allow its data to live in externally hosting
environment outside of its direct control without necessarily
putting its compliance program in jeopardy?

Chenxi Wang: It is possible, yes.

Eric Parizo: Why is that?

Chenxi Wang: If you are able to gain enough visibility of the controls
in a hosting provider or a cloud provider is during the inside of an
infrastructure, and if you are able to understand whether those
level of controls are sufficient for your compliance needs, and
if you can evaluate that, then you can say whether this meets my
compliance needs or not. There could be cases that it does meet
your compliance needs.

Eric Parizo: Experts generalize classify cloud-based services into
three platforms: platform services, infrastructure services, and
application services. Does each type uniquely affect compliance
efforts?

Chenxi Wang: They do.

Eric Parizo: How so?

Chenxi Wang: At each level of infrastructure-as-a-service, the user
of the service would have more control over the configuration of the
VM and the application that is handling the data, is typically
under the control of the user. When you go up the stack, when
you go to application service which is SaaS, the user has very
little control because the application lives in the Cloud; the
application is the IP of the service provider versus the user.
So you go up the stack from infrastructure service to
application service, the user has less control, hence, you will
have to trust your provider even more, so they have different
implications.

Eric Parizo: Your report specifically addresses cloud compliance with
PCI, GSS, HIPAA, SOX, a couple of other compliance mandates. In
brief, what are the top standard specific cloud compliance
issues that stand out?

Chenxi Wang: The first issue is am I going to be compliant when I
contract with this cloud provider? That is the ultimate question. If you
are non-compliant, then you have a decision to make. Do I still
want to go with cloud? Maybe not, maybe I should just walk away
and do whatever I am doing now and continue to do that, or if
your business really wants to go to the cloud, leveraging the
benefits of the cloud, yet it poses a risk to your compliance
requirements, so what do you do? As an IT guy, maybe you should
look to alternative controls that you can do independent of the
cloud provider, independent of the cloud infrastructure so that
you can enable your business to use a cloud but still meet your
compliance requirements.

For instance, if the business wants to store certain regulated
data in the cloud and leveraging the storage as service, you can
pre-encrypt the data if it is PHI or PII regulated. You can pre-
encrypt the data, hold on to the key, and put the data in the
cloud. That will enable you, in some scenarios, to actually use
the cloud and meet your compliance requirements. That is where
the examination has to fall.

Eric Parizo: When an enterprise considers a cloud vendor or provider,
are there signs to look for or questions to ask to ensure the
vendor provider will help support that company's compliance and
issues?

Chenxi Wang: Yes. Typically, certain providers are really conscientious
about security issues, and those are the providers that you want
to go with, obviously, aside from the functionality evaluation.
When you go talk to those providers who really understand
security questions and also advise that the security criteria
that you thought, in fact, some of them will even say, 'Have you
thought about this? Have you thought about this,' because they
have dealt with a lot of customers. They know what the typical
security requirements are. Also, some providers have gone
through fairly stringent external evaluations.

For instance, ISO 27001 is a pretty stringent standards
evaluation. So if they have gone through that, which is
information security controls, where you can look at all the
reports and you have some level of sense of how well they do
certain of these operational controls. The third is signs of a
good Cloud provider, they have good reference accounts, people
in your industry, people who are your peers, people who are
maybe, bigger than you, who have similar security, privacy, and
compliance requirements are using this Cloud provider. It is not
100% true that these other peers have gone through the
compliance questionnaire, but maybe they have done, at least,
some level of evaluations. Some good reference accounts is
another good sign that this Cloud provider may be, at least
security aware, security conscientious.

Eric Parizo: I would imagine that is a big red flag if an organization
provider will not offer those sorts of reference customers.

Chenxi Wang: Yes. I do not know about whether that is a red flag, per se.
When you do have good reference customers, it is a good sign,
but without it sometimes could mean they do have those
customers, but those customers do not consent that they be used
publicly for those reasons. It is not necessarily a red flag,
but it is certainly not a positive sign.

Eric Parizo: For companies that are farther down the road and have
already decided on a provider and/or perhaps thinking about
negotiating a potential contract with a cloud services provider,
what are some key examples of elements that need to be in that
contract?

Chenxi Wang: There is a long list of things . . .

Eric Parizo: What are the highlights?

Chenxi Wang: That need to be in that contract. The highlights would
be, what type of visibility do I have as a user? Would I get to
see, would I know if something goes wrong? What happens with the
contract ends, the end of contract support, or can I move my
data that lives in your cloud very easily to a different
provider? Are you going to package up my data in some way that I
can easily move it? Are you going to erase my data, all the
copies, from your infrastructure? Are you going to be able to
give me any service level guarantees of availability and how
available are your services going to be, those performance
levels, those key performance indexes that you want to put in
the contract? What happens if the provider fails to meet the
service level, performance level? Is there going to be any
recourse action that I can take in the form of maybe, service
credit or an early exit from the contract?

All of these things have to be put in. End of contract. What
happens if something goes wrong? How do I tell if things are
going right? Let us see, what are the other highlights? I think
we covered most of it.

Eric Parizo: Finally, looking forward, over the next three to five
years, how do you see Cloud services and the enterprises' use of
cloud services evolving? Are there any security-related or
compliance-related issues on the horizon that you see as
potentially causing more trouble?

Chenxi Wang: I do not know potentially causing more trouble, but I
think we are definitely going to see more providers will use security
compliance as a differentiator. In the early stage of the
industry, you are differentiating on what services you offer,
the functionality you provide, but when there are more and more
people coming into the industry sector, your differentiation is
going to diminish, so you differentiate on the other abilities.
Things like how secure is my service? How much protection I can
provide for your data, and whether I can meet your compliance
requirements. We expect to see more and more companies will be
offering compliance-ready infrastructure and services so users
will have more places to go, or even to outsource regulated data
and regulated work requirements.

I think the landscape will change in the way that it is
beneficial to users versus causing more problems. Companies are
also becoming more sophisticated about using the cloud. I am
aware of a number of large organizations, they now have
established a central governance of cloud usage, instead of some
guy in some business department decides to user a credit card
and go to Amazon and outsource some work loads, now you have to
go through an internal approval process. That approval process
will actually vet the vendor, whether this is a good cloud
provider to use versus the other one. The process is getting a
little bit more mature and more sophisticated. I think both
ends, from the provider and the user end, we are seeing a
matured increase.

Eric Parizo: Almost like a more conservative cloud governance effort
internally, if you will.

Chenxi Wang: Yes. I hate to use cloud governance, because I think it is a
really broad term, but yes.

Eric Parizo: All right. Very good. That is a positive note to end on.

Chenxi Wang: That is a very positive note.

Eric Parizo: Chenxi Wang, Principal Analyst at Forrester Research.
Thank you so much.