By now, the benefits of cloud computing are familiar: rapid deployment, scalability, low startup costs, ability to focus on the business rather than running data centers, accounting gains from expensing costs rather than capitalizing them; the list goes on.
The tally of “the cloud's” principal disadvantages is just as well-known, albeit a lot shorter: data security and compliance.
Don't be deceived by imbalance in pros and cons, however; those two drawbacks have cast quite a shadow on cloud adoption. The good news is that a combination of IT self-awareness, savvy dealings with cloud-computing providers, and new software offerings is chipping away at data security concerns, making the transition to the cloud much less of a leap of faith.
That's not to say that data security problems are evaporating. While experts see an increasingly wide range of data as cloud-eligible, deciding what to keep in-house and what to move to the cloud depends on an organization's appetite for risk, the value (or savings) the cloud can impart, and the consequences of losing control over one's data.
Different types of cloud models have their own data-security and compliance implications—which, in turn, hinge on the nature of the data and processing a company wants to send to the cloud. Computing vendors host private, public, and hybrid clouds, where they provide software as a service (SaaS)—think Salesforce.com; infrastructure as a service (IaaS), which is server-and-storage for hire; and platform as a service (PaaS), a virtual software-development platform. Public clouds, hosted by the likes of Amazon, Microsoft, IBM, Google, and many others, are the most economically attractive; SaaS and IaaS, on the other hand, are the fastest-growing markets.
David Cass, chief information security officer of Elsevier, a publisher of science and health data, says his organization sees the cloud as an opportunity to let Elsevier focus on its strengths, managing content and delivering products to customers. Elsevier's default IT position is to think “cloud-first” for every application and revert to in-house data centers if the cloud looks too risky, Cass says.
Risk Analysis
The analysis starts with Elsevier's enterprise architecture committee, “because it looks at things strategically across Elsevier,” he says. The first hurdle is a big one: Does the proposed cloud application involve what Cass calls “regulated data”—information that falls under the purview of the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), or a host of other laws and major industry standards?
If so, Cass says, Elsevier takes the cloud off the table. “As the cloud matures, as security gets better and there's more visibility into the product, we can revisit some of the regulated data applications,” he says.
Applications passing the first test then go through a cloud readiness assessment and a security review, Cass says. “The move to the cloud really puts the focus back on application security and good IT governance,” he says.
The cloud readiness assessment review involves a hard look at the applications themselves. Because you may not have control over a cloud provider's security and firewalls, “the key thing is to make sure the application is designed with security in mind, rather than having to put security around the application,” Cass says.
“If you're doing processing on your end and put personally identifiable information in the cloud, the risk is reduced if it's encrypted when it gets there.”
—Douglas Barbin,
Director,
Brightline
Douglas Barbin, a CPA who does cloud-security audits as a director at BrightLine, agrees. “It's not just on the cloud provider and how good they are. It depends on what you give the public cloud in the first place. If you're doing processing on your end and put personally identifiable information in the cloud, the risk is reduced if it's encrypted when it gets there,” he says.
The risk is also reduced by finding the right service provider in the first place, Barbin says. Cloud providers are piling on certifications to demonstrate their commitment to security, including SAS 70, ISO 20000, PCI DSS 2.0, and others. The Cloud Security Alliance and the Open Data Center Alliance are also publishing guidance on security standards. In terms of auditing, “it used to be that the forward-thinkers were doing SAS 70; now [the AICPA's] SOC 1 and SOC 2 seem to be more the norm,” Barbin adds.
In the Contract
Service-level agreements can shore up cloud security and lessen the risk of moving to the cloud, says Thomas Trappler, director of software licensing at the University of California at Los Angeles. Trappler, who teaches a seminar on cloud computing contracting, says even HIPAA-class data could be cloud-ready, with the right SLAs in place and the right cloud provider.
The cloud provider doesn't necessarily have to understand HIPAA per se, Trappler adds. HIPAA merely says healthcare data must be secure and confidential; it doesn't specify how to get that done. Once a path to HIPAA compliance is defined, a company can wrap an SLA around a bundle of services—encryption, physical security, auditability, and so forth—that combine to achieve the overarching goal of compliance, he says.
“HIPAA [compliance] is an end-state,” Trappler says, though he agrees that most organizations will have data they deem too sensitive to put in the cloud.
Greg Brown, McAfee's vice president of product marketing and cloud security, says hosted private clouds, which let you identify dedicated physical servers and storage, are the best bet for “audit-sensitive” offerings.
Vendors are stepping up with new cloud-security offerings, says Rick Holland, a senior analyst covering risk and security with Forrester Research. For example, Okta, an identity and access management service, offers a way to “provision and de-provision” (that means “add and delete” in the common tongue) users quickly and across cloud and corporate platforms. Another, CloudLock, provides a layer of control and auditability for Google Apps, and, soon, Microsoft's cloud-based Office 365.
The CloudLock software addresses a common issue: employees, or even entire departments, are using Google Apps, Box.net, and other cloud-based software without the IT department's—or the compliance team's—knowledge (let alone consent). “I would dare to say that almost every organization has a lot more of that going on than they think,” Holland says.
The big names in IT security are playing in the cloud, too; McAfee's Cloud Security Platform is just one example. It integrates into existing McAfee security products with the defining philosophy that a company should be able to extend its approach to IT security into the cloud's SaaS and IaaS environments, Brown says.
“Just because you're embracing the cloud doesn't mean you have to invent a new security process,” Brown says.
No comments yet