John Bace, a research analyst at the Gartner Group, had just finished a presentation for a corporate client. Discussion shifted to the company’s data storage, and the client’s CIO mentioned he planned on moving much of that data to “the cloud.”
The general counsel looked across the table and asked him what he meant. He answered that the cloud is a virtual storage facility, existing out there on the Internet rather than in a back office filled with servers and other software.
“You mean you don’t know where our data’s going to be?” the general counsel gasped. “We have to talk.”
This is not an uncommon conversation in compliance circles these days. Cloud computing—also known as “Software as a Service,” hosted computing, or numerous other names—is quickly becoming the new darling of IT departments for its cost savings, which can be considerable. But concerns about internal control and compliance are raining down on legal departments just waking up to the idea.
“We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology,” Bace says. “New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way.”
From the IT department’s view, cloud computing has an obvious appeal: Data storage capacity in the cloud can be scaled up or down as your company needs, which is far cheaper than creating your own data center that might be only 10 or 20 percent used. Many of the top names in technology—Google, Microsoft, EMC, Amazon, IBM, and others—are offering a wide range of services, from storage to running and managing software applications. Michael Nelson, a professor at Georgetown University and former director of Internet strategy at IBM, describes it as a world where companies could assemble software and data services into any configuration they need.
The compliance department, however, might see things quite differently. E-discovery rules for civil litigation require blow-by-blow tracking of a document’s history and its rapid retrieval. The European Union says its citizens’ private data must stay in Europe. The U.S. government also wants its sensitive data to stay on U.S. soil. Those concerns run, well, smack into the cloud and its whole premise.
Crawford
“You have the opportunity to relieve yourself of the capital expenditure but also the expertise needed to manage your own resources,” says Scott Crawford, research director at Enterprise Management Associates. “But what you give up is direct control.”
“New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way.”
—John Bace,
Research Analyst,
Gartner Group
Without direct control, Crawford says, companies need visibility into their data and other forms of assurance spelled out in service-level agreements. But SLAs that require a cloud provider to do company-specific development or compliance-related reporting aren’t necessarily cheap, which cuts into the business value of cloud computing in the first place.
Still, companies need assurance that cloud-provider employees can’t access sensitive corporate data, that application controls are in place, and that code changes for one cloud client don’t touch another. From a business perspective, cloud computing threatens to hollow out internal IT competence and leave companies vulnerable to the proprietary whims of cloud providers, says Christopher Reichert, an IT consultant who chairs the MIT Sloan CIO Symposium.
“How do I not get locked into something that may or may not evolve down the line?” he asks.
The notion of IT security will evolve, and regulations will have to reflect such change, Reichert and others say. Security was once defined by walls—first physical, increasingly virtual—fencing in computers, networks, applications, and databases. The cloud might shift attention to a more granular level: where a specific piece of software or data came from, how it evolved, who has touched it, and who has viewed it.
“There’s a lot of research being done on this and there are immutable audit systems,” Nelson said. “But there are no standards, and there are a lot of institutional and organizational challenges.”
Getting a Grip on Clouds
McHale
Fortunately, compliance departments are not starting from scratch. Companies have been outsourcing various aspects of data services for years. Salesforce.com, for example, is a provider of software-as-a-service with many large Corporate America customers. Tom McHale, vice president at software company CA (yet another cloud vendor) says cloud computing providers usually excel at configuration control, security control, data backup, and disaster recovery. Many also have SAS 70 Level II certifications, where auditors attest to the quality of the vendor’s internal controls.
UNCLOUDING COMPLIANCE
Below are some key points from the Cloud Security Alliance’s guidance.
Governance and Enterprise Risk Management
A portion of the cost savings obtained by cloud computing services must be invested
into the increased scrutiny of the security capabilities of the provider and ongoing
detailed audits to ensure requirements are continuously met.
The Domain 1 Principals of Cloud Computing which make it very flexible and
affordable create a relationship dynamism, which must be mitigated by ongoing risk
management.
Providers should have regular third party risk assessments and these should be made
available to customers.
Require listings of all third party relationships of the cloud provider.
Understand financial viability of cloud provider.
Understand the cloud provider’s key risk and performance indicators and how these can
be monitored and measured from a customer perspective.
Request a divulgence of all policies, procedures and processes comprising the cloud
provider’s Information Security Management System (ISMS).
The onus is on the customer to perform extensive due diligence of a cloud provider for
usage in mission critical business functions or for hosting regulated personally
identifiable information. At this point in time, customers should consider Private and
Hybrid Cloud models for these types of business needs, unless rigorous due diligence
determines a Public Cloud is acceptable.
Contracts are not your only governance tool but should encompass the broad due
diligence required of a cloud provider.
Compliance and Audit
Classify data and systems to understand compliance requirements
Understand data locations, in particular the copies of data that are made and how they
are controlled.
Maintain a right to audit on demand as your regulatory mandates and business needs
may change rapidly.
Perform external risk assessments, including a Privacy Impact Assessment.
While SAS 70 Type II audits and ISO 27001 certifications can indicate widely varying
levels of security competency, in the aggregate they are better than no certifications
whatsoever.
It is critical to examine the scope of SAS 70 Type II audits and ISO 27001
certifications. Going forward, we advocate greater uniformity in comprehensive
certification scoping. This will lead to increased security assurance for the customer
and a decrease in ad hoc audits, an expensive drag on cloud provider productivity.
Source
Cloud Security Alliance’s Security Guidance (April 2009).
Mark Forman, a principal in KPMG’s IT Advisory Services practice, also notes that corporations are clamoring for more attention to matters of security, risk, and compliance—so that’s the stuff cloud vendors are paying attention to these days.
Forman
“In industry and government, the squeaky wheel gets oiled,” he says.
Government stands to be a major driver in the development of the cloud. With an IT budget of about $75 billion, the feds are the world’s largest IT buyer, and they are investing in seven pilot projects related to harnessing the cloud for government data and processing, Forman says.
The IT industry is also working on open standards, says Winston Bumpus, director of standards for VMware, an EMC subsidiary whose virtualization software is a cloud computing building block. A group called the Distributed Management Task Force, which Bumpus heads, is developing standards programs for virtualization that extend into clouds, he says. (Think of the MP3 format for music players, but apply the concept to cloud vendors.)
“There needs to be certification and compliance programs that ensure interoperability, which is the endgame in all this,” Bumpus says. That interoperability, he says, will let enterprises feel at ease using clouds extending past the horizon.
Norsworthy
That will take time, says Karla Norsworthy, IBM’s vice president of software standards. Enterprise customers will sample the public cloud first for “non-mission-critical services they don’t view as a value-add or central to their mission,” and build internal clouds for more important or highly regulated processing. She envisions a future where private clouds interact with the open cloud much as private intranets coexist with the public Internet.
“If we do our jobs right, we’ll be able to get strong integration across the environments,” she says.
But that will depend on regulation as much as technology, Georgetown’s Nelson argues. “Some of the issues we’re dealing with are old issues,” he says. “They’re just five times more important and ten times more complicated now.”
No comments yet