Does it matter what the definition of the cloud is? Attendees at the Enterprise 2.0 Conference in Boston this week...
tried to move past that ambiguous topic to other important questions: What does the cloud do, and what does it enable?
"This is what the cloud really looks like," said Rajen Sheth, senior product manager for Google Apps at Google, displaying a picture of a gigantic data center several football fields long, during a panel discussion with other cloud providers.
But jokes aside, the question of whether an enterprise can leverage the economies of scale provided by the cloud and still be able to address cloud computing compliance remains serious to IT practitioners.
Doug Cornelius, chief compliance officer at Beacon Capital Partners LLC in Boston, put the vendors on the panel on the hot seat with his thoughts on cloud computing compliance, including records management, availability of log files, terms of service, investigations, geography, data privacy laws, the risks of shared servers and the relevance of Payment Card Industry Data Security Standard compliance or a SAS 70 Type II audit. As Cornelius noted during the discussion, "The devil is in the details. I am the devil."
Understanding where data lives, where it is stored and who has access to it is a central issue in cloud computing compliance, Cornelius said. "These things live somewhere. Location matters to me, because of the EU's privacy restrictions, or, closer to home, the Massachusetts data protection act."
In an interview following the session, Cornelius said, "I got what I expected [from the vendor panelists]: 'We're the server farms.' It's the application-side, where they're collecting the customer data, where we all run into the privacy issues -- especially with the EU. That means it's important to know how they collect and store that information, less so than where the data physically provided."
When asked about data breaches and potential loss of personally identifiable information, Cornelius suggested that compliance officers considering the cloud "look at previous accidents. I think the most likely scenario is that the application will fail. What I was trying to get across during the panel is that the compliance and regulatory issues travel with the data. The key is that you work with the cloud provider, legal and security to draft service agreements to ensure that protections exist."
Cornelius noted that "there's a difference between liability and being sued. The customer is going to be sued. Perhaps there's some indemnity or defense built into the terms of service, where the cloud provider ultimately has some liability in the case of a data breach. That said, if it's your company, your data, you get sued."
One fact emerged: Technology is moving faster than the law, said panelist Sean Poulley, vice president of online collaboration services at IBM. "There always have been issues in selling and deploying technology to other countries, based on U.S. policies." When considering risk management and compliance, "it's a balance of business benefit with the associated risk."
For most users, Google Inc. is till the main, or at least the most visible, of cloud providers. Google's Sheth is credited with coming up with the idea of Google Apps, which acts as a cloud in bringing Google's consumer technology into businesses.
"We take great pains to ensure that privacy is maintained," Sheth said. "We make sure that we adhere to the privacy laws that affect our customers. Secondly, we have rigorous security process around how we secure people's data. We brought in experts from the Fortune 500 and academia to rethink security for a large data center environment. We've integrated that deeply into the DNA of the company. For example, every new product that comes out has to have a security review when it comes out."
When asked about security loopholes reported in Google Docs, Sheth said, "Inherently with software, there are going be issues -- and we know that. One of the things that we've done is make sure to build a process about being able to plug security holes as they happen -- but that's one of the advantages of the cloud: We don't have to wait to get a patch out. We can eradicate a problem very quickly."
When Google rolls out new features, how does the company think about compliance? "Compliance and legal rate extremely high when we roll out new features," Sheth said. "One of the first things we did was made a very, very large investment and brought in Postini and deeply integrated it with Google Apps. That was necessary because the customers that we sell to have to comply with a variety of internal and external policies for how they control their data, everything from litigation holds to e-discovery of email to particular policies of how certain email can be send outside of corporations."
The advantages of scale afforded by the cloud are always mentioned, but, for compliance officers, ensuring access to data and logs is crucial, along with authentication systems.
"Most of our enterprise customers integrate their own access systems into Google Apps," Sheth said. "Most of our enterprise customers don't use us, they use their own authentication. They can look if a given user is inside or outside the firewall or using two-factor authentication. They also can use that for logging, as in who accessed the system at what times."
Sheth worked with the nation's new top CIO, Vivek Kundra, when Kundra was chief technology officer for the District of Columbia. "I was heavily involved with bringing Google Apps to D.C.," Sheth said. "Government and private sector both need to do e-discovery of email but potentially use it for different things. … For government, there may need to be a way to retain email messages that are part of the public records; they'll use e-discovery for that purpose. What we tried to do is to make Google Apps generic enough that entities can integrate the controls they need."
But can a government or a private entity move into the cloud and remain compliant, in Sheth's eyes? "Yes, they can. Definitely. But you don't have to take my word for it. Look at the District of Columbia or companies like Genentech that have made this move. They scrutinized it heavily before making the move to make sure they could meet those standards."
Still, users are not wholly satisfied with these answers. "The conversation about the cloud was not targeted to the people who need to work with compliance and security. Doug's questions about contracts and service-level agreements didn't get answers," said attendee Mark Masterson, an enterprise architect at Computer Sciences Corp. "On a technical level, the answer [to being able to achieve compliance in the cloud] is unequivocally yes," Masterson said. "If there are problems, and there are real problems, they live in Doug Cornelius' word, around risk assessment. What is this going to cost me if this goes down? The risk is more in terms of the business value."
The challenge, for those considering the move to the cloud, is then in assessing that risk. As Masterson noted, "I thought it was fascinating when [panel moderator] David Berlind asked the audience how many of you know how much your email servers cost: No one put up any hands. There all kinds of reasons why enterprises don't know that. Regardless, we can't make any fundamentally correct risk assessments for moving to the cloud because our foundation is wobbly. It's all kind of voodoo math -- Reaganomics."
Let us know what you think about the story; email: Alexander B. Howard, Associate Editor