Enterprises are under more regulatory pressure than ever with federal laws such as SOX and HIPAA, state data protection mandates, and industry requirements such as PCI DSS. Maintaining compliance with all these rules is always a challenge, but can be even more complicated in a cloud computing environment.
“The cost benefits for cloud service providers come from the ability to scale multiple clients across shared resources. This can make compliance difficult as regulations often require encryption, auditing and data separation, which increase hardware requirements and limits resource sharing,” said Joseph Granneman, an information security professional with experience in the financial and health care industries. “These additional requirements may increase the cost of the cloud solution to the point where it is no longer a good business decision.”
According to the TechTarget Security Media Group Cloud Security Survey, 61% of 1,091 respondents cited regulatory compliance/audit as a top security concern with cloud computing. Forty percent said demonstrating compliance with any mandates is their top cloud compliance concern and 28% said meeting industry specific mandates such as PCI and HIPAA is a major concern, while 19% cited SOX compliance.
The survey also revealed that security professionals are worried about data protection and cloud encryption, and are leaning towards the Software as a Service cloud service delivery model and the private cloud service deployment model.
Cloud compliance and audit issues
Health care companies, particularly hospitals, aren’t jumping wholesale into cloud computing because of concerns about HIPAA compliance, said Chris Witt, CEO of WAKE TSI, a West Chester, Pa.-based IT services provider specializing in architecture and engineering services that works with health care organizations.
“It boils down to who has access to your data, who can see it,” he said. “You’ve got your data in this cloud; you don’t know where it is physically located. It could be located in more than one spot.”
With a co-location or managed service provider, the questions of who has access, data location and data backups are easy to answer, but “you don’t necessarily have that same visibility in the cloud world because it is so virtual,’ Witt added.
William Wong, a technologist at a large insurance company, said cloud service providers often will provide a SAS 70 Type II certification as proof of their security. “That just says you went to a third party who verified you have these controls in place. It doesn’t measure how effective those controls are,” he said.
Enterprise customers want to verify the controls are effective, but when they ask if they can review the controls, cloud providers will counter that they can’t let everyone review their processes, Wong added.
Granneman said there are cloud service providers that understand the requirements of compliance and are still cost effective. “The key is to fully investigate the capabilities of the cloud service provider before signing the contract,” he said.
Cloud encryption problems
When asked to choose two security operations they’re most concerned about operating in the cloud, 68% of survey participants cited data protection/encryption. Forty-five percent said they’re concerned about identity management/access control and 25% cited application security.
Wong said a VPN provides encryption for data in transit to a cloud provider, but the problem is with encrypting data at rest on the remote side. “You lose a lot of the potential advantages that you’d be using a cloud for,” he said. “That’s where the tricky part comes.”
Phil Agcaoili, a co-founding member of the Cloud Security Alliance and co-author of the Cloud Controls Matrix (CCM), said data classification is a prerequisite for encryption, but the lack of industry-specific data classification and data governance standards remains a problem for the cloud. Companies all have their own methods for identifying confidential data, he said.
However, he said he was surprised about the survey results on identity management and access control. “Why aren’t people exploring Open Identity Exchange and Open ID? Those are industry consortiums that have picked up good momentum and federation is there in the cloud already,” he said.
Cloud delivery and deployment models
Eighty percent of survey participants said the cloud service delivery model they’re most likely or somewhat likely to use is SaaS. Seventy-four percent said Platform as a Service was their most likely or somewhat likely choice, while 64% favored Infrastructure as a Service.
“We’re definitely seeing [SaaS] as a sort of gateway drug to cloud. Businesses will generally test the waters by moving one granular bit of business function -- something that’s non-critical -- to SaaS and see how it works and whether they’re comfortable enough to move other business functions to the cloud,” said Wendy Nather, senior analyst in the enterprise security practice at The 451 Group.
Companies might be shying away from the IaaS model because “there are fewer layers of the stack being provided and the enterprise remains responsible for a larger portion of the stack,” she said. “They may not be comfortable with managing that in a shared relationship.”
When it comes to a cloud service deployment model, survey participants said they’re most likely or somewhat likely to use private cloud (89%) or hybrid cloud (81%). Sixty-four percent are leaning towards the public cloud model.
“It doesn’t surprise me that most of them would like to try private cloud first because it offers more control, if only from a psychological standpoint, that you still know exactly where your data is,” she said.
Looking ahead, Wong said he sees cloud providers either being very specialized in terms of services offered on the SaaS model or being used for low value data like marketing brochures. “Areas where I see cloud becoming a niche if [providers] don’t straighten out their security story is provisioning of peak capacity,” he said.
A tax preparation company, for example, may need to ramp up its servers temporarily for the tax filing deadline, he said. “That’s a hybrid model -- you use a third party to handle excess load that doesn’t occur frequently, while using your standard infrastructure to handle regular loads,” he said.