Cloud Providers are Stepping up Compliance
By Bill Bulkeley
Every CIO wants to get his or her head in the cloud as soon as possible. But many keep stubbing their toes on the fact that they have to comply with a plethora of government regulations. Those require them to know a lot about where their data is, who can access it and how it is protected, which is very difficult in the cloud.
The industry is moving rapidly to address these issues. The Cloud Security Alliance unveiled its "Governance, Risk Management and Compliance Stack," a suite of enabling tools for cloud compliance, available as a free download. Growing numbers of cloud vendors are announcing certification under one security regime or another. This month Amazon said its Web services received approval as a service provider under the Payment Card Industry data security standard.
Action is needed because compliance is emerging as a significant challenge to cloud computing's growth.
"The real truth about public cloud services is that the biggest barrier to entry isn't security. The biggest barrier is compliance."
— Christofer Hoff, director of cloud & virtualization solutions at Cisco Systems
"The real truth about public cloud services is that the biggest barrier to entry isn't security. The biggest barrier is compliance," says Christofer Hoff, director of cloud & virtualization solutions at Cisco Systems.
Cloud Computing Benefits
Even with compliance concerns, business and government are rushing to the cloud because it's simpler and cheaper than running a corporate data center. CIOs like the cloud because of its on-demand resources, scalability, predictable costs and collaboration benefits.
The cloud provides unparalleled flexibility. A marketing organization can bump up resources to launch an application then scale it back in a week after the initial spike has flattened out. Developers can run a beta environment for a short time and shut it down when it's no longer needed. Users aren't stuck with unneeded hardware or long-term service agreements.
Those savings exist because big public-cloud providers are able to locate customers' data and applications on any of thousands of physical servers in any of dozens of data centers around the world. Cloud services can be provided cheaply because they aren't dependent on dedicated servers, storage systems and switches. They can run on virtual machines with dozens of other companies' data, and they can even be moved from one physical machine to another depending on demand or even electric rates.
Compliance a Driver for Private Clouds
Laws requiring that companies respect individual privacy by keeping tight control of their records didn't contemplate the spread of virtual machines. Vendors say Germany's stringent laws mandate that an individual's records can't be physically kept anywhere outside of Germany. Other countries' laws require that personal data be protected from access by unauthorized people.
Cisco's Hoff says compliance is one reason many large enterprises decide they should build private clouds behind corporate firewalls rather than utilizing public clouds.
In a fall 2010 survey by Harris Interactive commissioned by Novell Inc., 81 percent of IT decision makers said that difficulty maintaining regulatory compliance in the public cloud was an issue for them.
The compliance issue is a major reason that big banks and health insurance companies build private clouds with servers and storage devices dedicated to themselves. The private clouds may cost more than using public clouds, but they make it easier to demonstrate compliance with privacy laws while taking advantage of virtualization and other cost-saving elements of cloud architecture.
U.S. Government's Cloud Move
Hoff says it's a reasonable strategy, even though many cloud advocates have argued that private clouds were dreamed up by hardware vendors so their customers would keep buying servers and storage racks.
Many CIOs appear to be moving to the cloud despite their compliance concerns. Software security vendor Courion Corp. surveyed 384 large users and found "nearly half (48.1 perent) of respondents said they are not confident that a compliance audit of their Cloud-based applications would show that all user access is appropriate."
Growing numbers of customers are moving certain types of applications and infrastructure to private clouds hosted in providers' data centers. A virtual private cloud, Hoff says, is "a private, roped-off set of compute and storage, often connected back to the enterprise via an encrypted VPN tunnel." It usually costs more than using a public cloud but enables the enterprise to achieve many of the benefits of cloud computing.
The U.S. government is one of the biggest movers. At the beginning of December, the federal General Services Administration announced that it was moving its 17,000 employees off Microsoft e-mail and desktop applications to cloud-based Google applications. The GSA estimated the contract will cut costs $15 million or 50 percent over five years.
Improving Compliance in the Cloud
Public cloud vendors are working to address the compliance issue without adding the cost of dedicated hardware. Amazon recently said it had achieved compliance with the stringent Payment Card Industry (PCI) Data Security Standard. In his blog, Amazon CEO Jeff Bezos wrote: "Until recently, it was unthinkable to even consider the possibility of attaining PCI compliance within a virtualized, multi-tenant environment."
Bezos wrote that Amazon was able to demonstrate to a PCI quality assurance assessor that its "core services effectively and securely segregate each AWS (Amazon Web Services) customer within their own protected environment." Recent PCI guidelines cover virtualization, but don't specifically address the issue of "multi-tenancy" by several competitors on a single server, he acknowledged.
Security experts say the PCI standard is more stringent than the HIPAA standard for healthcare, indicating that public clouds have the potential to comply with security standards for most regulated industries, at least in the United States.
"This is a big deal," Rich Mogull, CEO of security consultant Securosis says on his blog. But he warns customers that they still have to make sure that applications and processes on their sites that are linked to the Amazon services have to pass PCI assessment as well.
The successful efforts by Amazon and other vendors to comply with privacy and security regulations in a virtual environment show that compliance issues can be overcome. And given the many advantages that public clouds provide to enterprises, CIOs will be cheering them on.