Cloud Computing: 4 Tips for Regulatory Compliance
Cloud computing makes it harder for enterprises to be sure they're complying with industry and government regulations. IT and legal experts offer CIOs advice on how to stay in compliance even when their applications reside in the cloud.
Mon, August 08, 2011
CIO — Cloud computing seems simple in concept, and indeed, simplicity of operation, deployment and licensing are its most appealing assets. But when it comes to questions of compliance, once you scratch the surface you'll find more questions than you asked in the first place, and more to think about than ever before.
Compliance covers a lot of ground, from government regulations such as Sarbanes-Oxley and the European Union Data Protection Act, to industry regulations such as PCI DSS for payment cards and HIPAA for health data. You may have internal controls in place, but moving to a public-cloud infrastructure platform, a cloud-based application suite or something in between will mean giving up some controls to the cloud vendor.
That's a position many auditors—and CIOs and CEOs—find themselves in today. They want to know how to leap into cloud computing in a way that preserves their good standing in regulatory compliance. Here are four tips for keeping tabs on compliance in the cloud, from analysts, vendors and consultants.
1. Be aware of new challenges the cloud may add to your IT workload.
When you evaluate cloud vendors, start by looking for sound practices and strategies for user identity and access management, data protection and incident response. These are baseline compliance requirements. Then, as you map specific compliance requirements to your prospective cloud vendor's controls, you'll likely face some cloud-specific challenges.
Data location is one. The EU Data Protection Act, for example, strives to keep personal information within the European Union. To comply, your cloud vendor should keep your European customer data on servers located in Europe.
Multi-tenancy and de-provisioning also pose challenges. Public cloud providers use multi-tenancy to optimize server workloads and keep costs down. But multi-tenancy means you're sharing server space with other businesses, so you should know what safeguards your cloud provider has in place to prevent any compromise. Depending on how critical your data is, you may also want to use encryption. HIPAA, for example, requires that all user data, both moving and at rest, be encrypted.
User de-provisioning is an issue that will become more challenging as password-authentication methods grow in complexity and volume. Federated identity management schemes will make it easier for users to log on to multiple clouds, and that will make de-provisioning much trickier.
"When an employee leaves the company, what you'd like is to push a button and that person gets de-provisioned from their Windows account and any internal enterprise applications, their mobile phone gets wiped of corporate information, and they're blocked from the company's SaaS applications, " says Tom Kemp, CEO of Centrify, a provider of identity management and compliance tools. Today, automated de-provisioning can't span both cloud and on-premise systems, he says.