Use of cloud technology continues to grow, but compliance and regulatory factors are still a concern. According to Information Security magazine and SearchSecurity.com’s 2012 Priorities survey, almost 52% of 811 respondents said meeting industry-specific standards and regulations is a top compliance/legal concern. One increasingly popular strategy to help address compliance-related issues is the community cloud deployment model.
Community cloud uses cloud technologies to support a subset of the population with related interests or intersecting goals (in many cases, these goals are related to security and regulations). For organizations with an interest in cloud but that also have implementation problems because they can’t meet security and compliance requirements, a community cloud can help offset those cloud compliance issues.
That being said, it’s important to recognize that using a community cloud doesn’t absolve you from the work associated with securing the environment. In fact, it’s quite the contrary. The effort required to support a community cloud deployment is at least equivalent to other scenarios, and in many cases actually exceeds what’s required in a more traditional cloud scenario. That’s because the type of data that’s moving into a community cloud is often the most sensitive and critical in nature. So while a community cloud can be a good strategy, think through your usage carefully before you adopt the idea -- whether it’s a service provider hosting the community cloud, another member within your stakeholder community hosting it, or even if you are hosting it internally.
Community cloud computing benefits
The National Institute of Standards and Technology (SP800-145) defines community cloud as “…provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations)….”
Despite the potential upsides, it’s important that an organization doesn’t make blind assumptions when it comes to use of community cloud.
This means the service is designed around a particular set of contextual constraints for the purpose of supporting a specific, targeted user base. Those contextual constraints can be anything, but in practice they most often relate to security requirements (both physical and logical), compliance validation and audit requirements, and certification.
The community cloud strategy is emerging most strongly in heavily regulated verticals like health care, the federal government, financial services and to support interaction-heavy use cases. As an example, consider the health care sector. HIPAA cloud compliance has been a challenging pain point for security professionals in that space because of specific technical controls required by the security rule. Getting cloud providers to understand that is often an educational exercise. Given those constraints, a health care organization might seek to take advantage of a community cloud. For example, it could use implementations that are purpose-built to support HIPAA.
In situations where interaction with peers is a requirement, such as a Health Information Exchange, one participating organization in the exchange (i.e., a member of the community) could set up an environment to cloud-enable key supporting tasks such as the sharing of patient records and lab results.
Community cloud compliance issues
Including regulatory and security considerations in the design of the cloud environment and structuring the service itself around them has advantages. First, a community cloud that addresses your particular requirements can facilitate adoption or allow adoption where a more general-purpose deployment wouldn’t be feasible. It can also assist by directly advancing your compliance efforts since required controls are implemented at the “substrate” level (opaquely, as part of the services you use).
In addition, it can streamline your audit response work by having reporting that is specifically developed with your regulatory requirements in mind and by being able to quickly gather evidence on control operations. Since you’re probably not the only entity in your community being audited, chances are high that the cloud provider can quickly track down required artifacts.
Despite the potential upsides, organizations shouldn’t make blind assumptions when it comes to community cloud. For example, even though you use a community cloud built around PCI compliance, that doesn’t mean your system/process/application is PCI compliant. You need to understand how and whichcontrols are covered within the scope of the service, where responsibility resides for operations of those controls, and how to satisfy any prerequisites on your side that are key to compliance.
The point is, using a community cloud might enable you to meet particular compliance requirements, but it might not necessarily come “out of the box” in an already-compliant configuration. Become educated about specific activities that you need to undertake to support this before you engage with a vendor or community partner. Self-education in this regard is important. Keep in mind that compliance can be an interpretive exercise; there’s more than one way to meet any given requirement. Just because a community cloud attempts to address a requirement doesn’t mean you’ll necessarily agree with its interpretation.
Community cloud deployments have advantages, but remember your organization is ultimately responsible for its compliance. So get and stay educated about how requirements are met and don’t assume that just using a community cloud makes you automatically compliant.
About the author:
Ed Moyle is a senior security strategist with Savvis as well as a founding partner of Security Curve.