Cloud computing providers debate compliance, security and transparency

By Alexander B. Howard, Associate Editor 30 Apr 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

How secure is cloud computing?

"It's key to consider your cloud provider's security. Is it PII? Is it HIPAA? Is it regulatory data? Do these controls meet my regulatory policies?" said Eran Feigenbaum, director of enterprise application security at Google Inc. and former chief information security officer (CISO) at PricewaterhouseCoopers.

More cloud computing and compliance resources Cloud computing initiatives show wide range as VMware touts cloud OS Data center virtualization: Four steps to compliance

Jian Zhen, director of cloud solutions at VMware Inc., said he sees barriers to adoption if security concerns aren't addressed. "There still a lot of unknowns. How are providers protecting data? Transparency is an issue." Zhen noted, too, that, "as an enterprise, it's your responsibility to consider how much risk is associated with the data."

Michelle Dennedy, Sun Microsystems Inc.'s chief governance officer, said she sees the situation as fundamentally different for cloud computing today than when Sun first offered grid computing to enterprises in the 1990s. "Identity management is there. Virtualization is there. Storage is there." Dennedy, in fact, said she believes that "cloud computing is a do-over for the Internet. We get to select the best security technologies of today." Sun is expected to launch its Sun Cloud service in June.

When asked specifically about compliance standards, Feigenbaum maintained that "cloud providers have increased security dramatically in the past year," and that "there is a balance between security and transparency." He observed that "the de facto standard that cloud providers are using at present is the SAS 70. That doesn't tell you that they're secure or not but does show what security controls are in place. That introduces an independent auditor to certify that the appropriate security is there."

VMware's Zhen recognized a new factor that may be a major player in cloud computing compliance and standards: The Cloud Computing Alliance. He predicted that "within six months, cloud providers will state that they are compliant with Domain 25 of the Cloud Security Alliance. The Cloud Security Alliance said SAS 70 and ISO are better than nothing. … You need to make sure your cloud provider has the appropriate controls themselves."

Rich Mogull, a former Gartner analyst and close observer of the emerging cloud space, said he thinks enterprises will need to work in concert to hold cloud computing providers to any security standards or interoperability with regards to protocol. As Mogull noted at the Jericho Forum, "the Trustworthy Computing Initiative did not occur because Bill Gates woke up in the middle of the night and realized he needed to take care of people."

Chris Hoff, an information security analyst, former CISO at Unisys and an author of the Cloud Security Alliance's initial white paper on cloud security, noted barriers to adoption with respect to interoperability and standards. Given the economies of scale and power available however, these questions will continue to arise. Hoff noted, "If enterprises could gain the automation and power of cloud computing internally, security wouldn't be so at issue."

On transparency, interoperability and standards: Can a company be compliant in the cloud?

Each cloud computing provider has created and promoted its own protocols for cloud computing that will cause headaches for IT professionals struggling to reconcile multiple systems. Data portability challenges are likely to be a problem.

If enterprises could gain the automation and power of cloud computing internally, security wouldn't be so at issue. Chris Hoff information security analyst

When it came to compliance, however, there was consensus among the panel members: Transparency is crucial. Service providers need to provide reporting tools, audit trails and access controls. Before an enterprise moves into the cloud, CIOs and CISOs need to sit down and consider whether PII will be involved -- and if laws in different countries regarding export or transport controls could be a concern.

Feigenbaum accepted responsibility for Google's role in providing ways for compliance and security officers to maintain vigilance. "We are clear that we don't own the data. A lot of the data and access is exposed in an open API; it's not the traditional UI that a user might expect." In his view, however, "it is incumbent upon you as security officials to know what the security controls of your cloud provider are."

Cloud computing providers (at least those in attendance) are thinking through the requirements for businesses that are in regulated industries or that store PII. Issues of transparency, interoperability, security, data portability and access controls will remain at the top of the list of concerns for adoption.

Governmental agencies and states, for instance, may choose to create their own data centers and host internal or private clouds, as opposed to taking an unacceptable risk hosting the private data of citizens in an external provider. In fact, that's precisely the approach that the commonwealth of Massachusetts is taking.

Given the statements of the cloud providers, however, progress is being made towards resolution on some of those fronts.

Tags: Managing governance and compliance,  Regulatory compliance audits,  Risk management and compliance,  HIPAA and other healthcare compliance requirements,  Vulnerability assessment for compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency Nonprofits are working to maintain donor trust with PCI compliance Mass. data protection law requirements amended, deadline extended Security and privacy top IT agenda for Massachusetts CIO The Web of social media and compliance: Online privacy regulations Regulatory compliance audits FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan Healthcare, cybersecurity policy and privacy on legislative agenda FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud HIPAA-covered entities, business associates confront HITECH rules PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Architect preventative compliance controls for best risk management Risk management and compliance FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary