This content is part of the Essential Guide: Breaking down what's in your cloud SLA

Compensating controls can help boost cloud compliance

Cloud computing can be attractive for IT services, except when it's time to figure out a compliance strategy. Chenxi Wang of Forrester Research explains the cloud compliance complexities and offers four compensating controls that can help.

In the current economic climate, many of today's organizations are facing aggressive cost-cutting and efficiency...

pressures that are driving businesses to consider cloud sourcing. While many properties of cloud services, such as elasticity, low-entry costs and faster time-to-market ratios, are well suited to support a wide range of business functions, compliance has been a difficult proposition when considering moving to the cloud. As a result, leveraging the benefits of the cloud and maintaining compliance can be at odds with each other.

One reason behind this clash stems from the implication that the "cloud" is omnipresent and accessible anywhere. But, take note, although a cloud service may be accessible anywhere, it is far from omnipresent. In fact, Forrester Research Inc. recently discovered that many Infrastructure as a Service (IaaS) clouds use a traditional IT outsourcing model: They provision services from specific data centers from specific geographic regions. Although there are true global clouds (like Google), in the Software as a Service (SaaS) segment, many vendors use what are ultimately local clouds to deliver global services.

 So why does a cloud service's point of origin matter? There are several reasons, the first of which is that regulations can affect cloud operations so users of a localized cloud may find their goals at odds with the local laws and regulations that govern the cloud operation. Additionally, true geographic diversity and high availability only comes with global clouds. This means if the cloud operation is restricted to a single location or a small set of locations, the benefit of geographic diversity doesn't apply, and in the final analysis, neither does high availability.

Most importantly, location matters; if you don't know where your cloud provider's data center is, or where your data is, you have no means to evaluate whether your data would be subject to any local laws and regulations that may be in conflict with your data privacy compliance goals. With the exception of the new HITECH Act for HIPAA, few laws and regulations in the U.S. have specifically included the role of a service provider. This means that if found in violation of the compliance goal, it's not the service provider that will end up in court. If you don't know where your data resides, it's time to find out.

The economics of the cloud dictate that data and applications are decoupled from infrastructure operations. It's this very notion that engenders tremendous operational and business efficiency while putting security and compliance at odds with these goals. Instead of waiting for the cloud industry to step up its support for regulatory compliance, security professionals need to look beyond their providers for compensating controls to aid cloud sourcing. Here are a few compensating controls to consider:

  • Cleanse or anonymize private data whenever you can: Not all data needs to live in the cloud in its clear text form. Cleansing or anonymizing private data may be the cheapest way of attaining privacy control; therefore always consider this option first.


  • Use cloud-independent encryption: As in the case of implementing HIPAA with IaaS, encryption technologies can be used to protect data and applications outside the cloud. Emerging technologies that provide in-the-cloud encryption of either virtual machines or data, with customers holding the key, have tremendous promise for enhanced data protection in the cloud.


  • Pay more for higher confidence: If a provider doesn't currently offer a specific control that's essential to achieving compliance, work with that provider to gauge the possibility of attaining that control. Sometimes all it takes is a higher service price. Point out that it can potentially generate additional revenues from other clients and gain competitive benefits from implementing the additional control.


  • Use a hosted private cloud: A hosted private cloud is a dedicated cloud infrastructure; in other words, a utility pricing model, accessible via standard Internet protocols, and with automated workload distribution that is hosted by a third party. Because the infrastructure is dedicated to your organization, you have the option to impose stringent security and privacy policies, even having the infrastructure certified by auditors for compliance purposes. The hosted private cloud requires a heftier upfront investment than a public cloud, but lower ongoing operational overhead and better control than a private cloud.

Whatever the control may be, it is ultimately the security professional's responsibility to attain cloud compliance. In the long term, compliance support and effectiveness will become differentiators in the cloud service industry and will likely help further drive adoption. Why? Because cloud services can spread out the cost of compliance support over multiple clients while running more efficient processes that make the additional investment worthwhile.

About the author:
Chenxi Wang is a principal analyst at Forrester Research, where she serves security & risk professionals. She is a leading expert on content security, application security and vulnerability management.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations