Every CIO needs to know whether an enterprise can enter the cloud and remain both secure and compliant within regulatory restrictions. A panel of cloud computing providers at RSA Conference 2009 in San Francisco debated concerns about compliance,
How secure is cloud computing?
"It's key to consider your cloud provider's security. Is it PII? Is it HIPAA? Is it regulatory data? Do these controls meet my regulatory policies?" said Eran Feigenbaum, director of enterprise application security at Google Inc. and former chief information security officer (CISO) at PricewaterhouseCoopers.
Jian Zhen, director of cloud solutions at VMware Inc., said he sees barriers to adoption if security concerns aren't addressed. "There still a lot of unknowns. How are providers protecting data? Transparency is an issue." Zhen noted, too, that, "as an enterprise, it's your responsibility to consider how much risk is associated with the data."
Michelle Dennedy, Sun Microsystems Inc.'s chief governance officer, said she sees the situation as fundamentally different for cloud computing today than when Sun first offered grid computing to enterprises in the 1990s. "Identity management is there. Virtualization is there. Storage is there." Dennedy, in fact, said she believes that "cloud computing is a do-over for the Internet. We get to select the best security technologies of today." Sun is expected to launch its Sun Cloud service in June.
When asked specifically about compliance standards, Feigenbaum maintained that "cloud providers have increased security dramatically in the past year," and that "there is a balance between security and transparency." He observed that "the de facto standard that cloud providers are using at present is the SAS 70. That doesn't tell you that they're secure or not but does show what security controls are in place. That introduces an independent auditor to certify that the appropriate security is there."
VMware's Zhen recognized a new factor that may be a major player in cloud computing compliance and standards: The Cloud Computing Alliance. He predicted that "within six months, cloud providers will state that they are compliant with Domain 25 of the Cloud Security Alliance. The Cloud Security Alliance said SAS 70 and ISO are better than nothing. … You need to make sure your cloud provider has the appropriate controls themselves."
Rich Mogull, a former Gartner analyst and close observer of the emerging cloud space, said he thinks enterprises will need to work in concert to hold cloud computing providers to any security standards or interoperability with regards to protocol. As Mogull noted at the Jericho Forum, "the Trustworthy Computing Initiative did not occur because Bill Gates woke up in the middle of the night and realized he needed to take care of people."
Chris Hoff, an information security analyst, former CISO at Unisys and an author of the Cloud Security Alliance's initial white paper on cloud security, noted barriers to adoption with respect to interoperability and standards. Given the economies of scale and power available however, these questions will continue to arise. Hoff noted, "If enterprises could gain the automation and power of cloud computing internally, security wouldn't be so at issue."
On transparency, interoperability and standards: Can a company be compliant in the cloud?
Each cloud computing provider has created and promoted its own protocols for cloud computing that will cause headaches for IT professionals struggling to reconcile multiple systems. Data portability challenges are likely to be a problem.
If enterprises could gain the automation and power of cloud computing internally, security wouldn't be so at issue.
Chris Hoff, information security analyst
When it came to compliance, however, there was consensus among the panel members: Transparency is crucial. Service providers need to provide reporting tools, audit trails and access controls. Before an enterprise moves into the cloud, CIOs and CISOs need to sit down and consider whether PII will be involved -- and if laws in different countries regarding export or transport controls could be a concern.
Feigenbaum accepted responsibility for Google's role in providing ways for compliance and security officers to maintain vigilance. "We are clear that we don't own the data. A lot of the data and access is exposed in an open API; it's not the traditional UI that a user might expect." In his view, however, "it is incumbent upon you as security officials to know what the security controls of your cloud provider are."
Cloud computing providers (at least those in attendance) are thinking through the requirements for businesses that are in regulated industries or that store PII. Issues of transparency, interoperability, security, data portability and access controls will remain at the top of the list of concerns for adoption.
Governmental agencies and states, for instance, may choose to create their own data centers and host internal or private clouds, as opposed to taking an unacceptable risk hosting the private data of citizens in an external provider. In fact, that's precisely the approach that the commonwealth of Massachusetts is taking.
Given the statements of the cloud providers, however, progress is being made towards resolution on some of those fronts.
Let us know what you think about the story; email firstname.lastname@example.org.