Compliance in the Clouds

CIO Magazine
April 9, 2010 | COMMENTS

There's no doubt that cloud computing is dominating today's IT conversation among security executives. Whether they're lured by its compelling cost savings or its perceived advantages, security leaders are probing the capabilities and restrictions of the cloud.

Some of the most frequently asked questions include: Is using cloud computing services advisable for applications and data subject to compliance requirements? Is compliance in the cloud even possible?

Not surprisingly, any answer to these questions has to start with—“it depends.” Coming to a meaningful conclusion requires context. Is the cloud service public or private? Your own specific compliance requirements are also key to understanding whether compliance can be achieved.

Blanket statements regarding compliance and the cloud aren't possible because vendors can create different types of cloud services and infrastructures for single enterprises or groups. A recent National Institute of Standards and Technology (NIST) paper recognizes three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). NIST further describes four different deployment models: private cloud, community cloud (shared among several organizations), public cloud, and hybrid cloud (part private, part public or community).

The different service and deployment models allow varying degrees of customer control and place different security and compliance obligations on both customers and service providers. In private clouds, for example, the organization building them is free to apply whatever set of controls it sees fit. In public, community, or hybrid clouds, the customer organization does not typically have this degree of control. Furthermore, the flexibility afforded the user for an IaaS service will generally be a lot higher as compared to a SaaS service. And with that higher degree of flexibility comes a higher degree of responsibility for security and compliance for the user.

While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and meet compliance obligations varies widely. For private clouds, it's fairly straightforward to build controls into the cloud that enable compliance. For public cloud services, however, becoming compliant is a more challenging endeavor.

Organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations and the set of controls provided by the cloud service provider. It is also worth noting that satisfying many compliance requirements will require assessing the control state for the cloud service at periodic intervals.

Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you're considering these services, you need to think through what uses make sense, closely review contracts and service-level agreements, and understand how the cloud service meets compliance requirements.

This article originally appeared CIO Journal and is reprinted with permission.