Scale aside, cloud computing compliance still worries IT managers

By Alexander B. Howard, Associate Editor 25 Jun 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More compliance resources Cloud computing providers debate compliance, security and transparency Twitter security risks, popularity spark regulatory concerns Top regulatory compliance trends that will affect IT in 2009

"This is what the cloud really looks like," said Rajen Sheth, senior product manager for Google Apps at Google, displaying a picture of a gigantic data center several football fields long, during a panel discussion with other cloud providers.

But jokes aside, the question of whether an enterprise can leverage the economies of scale provided by the cloud and still be able to address cloud computing compliance remains serious to IT practitioners.

Doug Cornelius, chief compliance officer at Beacon Capital Partners LLC in Boston, put the vendors on the panel on the hot seat with his thoughts on cloud computing compliance, including records management, availability of log files, terms of service, investigations, geography, data privacy laws, the risks of shared servers and the relevance of Payment Card Industry Data Security Standard compliance or a SAS 70 Type II audit. As Cornelius noted during the discussion, "The devil is in the details. I am the devil."

Understanding where data lives, where it is stored and who has access to it is a central issue in cloud computing compliance, Cornelius said. "These things live somewhere. Location matters to me, because of the EU's privacy restrictions, or, closer to home, the Massachusetts data protection act."

In an interview following the session, Cornelius said, "I got what I expected [from the vendor panelists]: 'We're the server farms.' It's the application-side, where they're collecting the customer data, where we all run into the privacy issues -- especially with the EU. That means it's important to know how they collect and store that information, less so than where the data physically provided."

When asked about data breaches and potential loss of personally identifiable information, Cornelius suggested that compliance officers considering the cloud "look at previous accidents. I think the most likely scenario is that the application will fail. What I was trying to get across during the panel is that the compliance and regulatory issues travel with the data. The key is that you work with the cloud provider, legal and security to draft service agreements to ensure that protections exist."

Cornelius noted that "there's a difference between liability and being sued. The customer is going to be sued. Perhaps there's some indemnity or defense built into the terms of service, where the cloud provider ultimately has some liability in the case of a data breach. That said, if it's your company, your data, you get sued."

One fact emerged: Technology is moving faster than the law, said panelist Sean Poulley, vice president of online collaboration services at IBM. "There always have been issues in selling and deploying technology to other countries, based on U.S. policies." When considering risk management and compliance, "it's a balance of business benefit with the associated risk."

For most users, Google Inc. is till the main, or at least the most visible, of cloud providers. Google's Sheth is credited with coming up with the idea of Google Apps, which acts as a cloud in bringing Google's consumer technology into businesses.

"We take great pains to ensure that privacy is maintained," Sheth said. "We make sure that we adhere to the privacy laws that affect our customers. Secondly, we have rigorous security process around how we secure people's data. We brought in experts from the Fortune 500 and academia to rethink security for a large data center environment. We've integrated that deeply into the DNA of the company. For example, every new product that comes out has to have a security review when it comes out."

It will be interesting to see how legislation will catch up to the cloud. Rajen Sheth senior product manager, Google Apps

When asked about security loopholes reported in Google Docs, Sheth said, "Inherently with software, there are going be issues -- and we know that. One of the things that we've done is make sure to build a process about being able to plug security holes as they happen -- but that's one of the advantages of the cloud: We don't have to wait to get a patch out. We can eradicate a problem very quickly."

When Google rolls out new features, how does the company think about compliance? "Compliance and legal rate extremely high when we roll out new features," Sheth said. "One of the first things we did was made a very, very large investment and brought in Postini and deeply integrated it with Google Apps. That was necessary because the customers that we sell to have to comply with a variety of internal and external policies for how they control their data, everything from litigation holds to e-discovery of email to particular policies of how certain email can be send outside of corporations."

The advantages of scale afforded by the cloud are always mentioned, but, for compliance officers, ensuring access to data and logs is crucial, along with authentication systems.

"Most of our enterprise customers integrate their own access systems into Google Apps," Sheth said. "Most of our enterprise customers don't use us, they use their own authentication. They can look if a given user is inside or outside the firewall or using two-factor authentication. They also can use that for logging, as in who accessed the system at what times."

Sheth worked with the nation's new top CIO, Vivek Kundra, when Kundra was chief technology officer for the District of Columbia. "I was heavily involved with bringing Google Apps to D.C.," Sheth said. "Government and private sector both need to do e-discovery of email but potentially use it for different things. … For government, there may need to be a way to retain email messages that are part of the public records; they'll use e-discovery for that purpose. What we tried to do is to make Google Apps generic enough that entities can integrate the controls they need."

But can a government or a private entity move into the cloud and remain compliant, in Sheth's eyes? "Yes, they can. Definitely. But you don't have to take my word for it. Look at the District of Columbia or companies like Genentech that have made this move. They scrutinized it heavily before making the move to make sure they could meet those standards."

Still, users are not wholly satisfied with these answers. "The conversation about the cloud was not targeted to the people who need to work with compliance and security. Doug's questions about contracts and service-level agreements didn't get answers," said attendee Mark Masterson, an enterprise architect at Computer Sciences Corp. "On a technical level, the answer [to being able to achieve compliance in the cloud] is unequivocally yes," Masterson said. "If there are problems, and there are real problems, they live in Doug Cornelius' word, around risk assessment. What is this going to cost me if this goes down? The risk is more in terms of the business value."

The challenge, for those considering the move to the cloud, is then in assessing that risk. As Masterson noted, "I thought it was fascinating when [panel moderator] David Berlind asked the audience how many of you know how much your email servers cost: No one put up any hands. There all kinds of reasons why enterprises don't know that. Regardless, we can't make any fundamentally correct risk assessments for moving to the cloud because our foundation is wobbly. It's all kind of voodoo math -- Reaganomics."

Tags: E-discovery and compliance,  PCI compliance,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT E-discovery and compliance Effective compliance document management in five days Data loss prevention technology matures but is still no cure-all Discovery of data breach under HITECH raises big compliance questions Be ready for electronic discovery with a records retention policy The Web of social media and compliance: Online privacy regulations The Web of social media and compliance: The ECPA and online privacy The Web of social media and compliance: Online privacy policy U.S., EU personal data protection laws make e-discovery risky Data security: The missing piece of e-discovery (but not for long) E-discover the gaps in your information management process PCI compliance Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy Risk management and compliance FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Electronic Communications Privacy Act (ECPA)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary