by Jim Hietala

Compliance Under a Cloud

Feb 24, 2010
Cloud ComputingLegal

Cloud services buyers beware: vendors must address security regulations

There’s no doubt that cloud computing is dominating today’s IT conversation among C-level security executives. Whether they’re lured by its compelling cost savings or its perceived advantages, security leaders are probing the capabilities and restrictions of the cloud. At the same time, security and compliance concerns remain issues holding large enterprises back from capitalizing on the cloud’s benefits.

Some of the most frequently asked questions include: Is using cloud computing services advisable for applications and data subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?

Not surprisingly, any answer to these questions has to start with, It depends. Coming to a meaningful conclusion requires context. Is the cloud service public or private? The company’s specific compliance requirements are also key to understanding whether compliance can be achieved.

Blanket statements regarding compliance and the cloud aren’t possible because vendors can create different types of cloud services and infrastructures for single enterprises or groups. A recent National Institute of Standards and Technology (NIST) paper recognizes three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). NIST further describes four different deployment models: private cloud, community cloud (shared among several organizations), public cloud and hybrid cloud (part private, part public or community).

The different service and deployment models allow varying degrees of customer control and place different security and compliance obligations on both customers and service providers. In private clouds, for example, the organization building them is free to apply whatever set of controls it sees fit. In public, community or hybrid clouds, the customer organization does not typically have this degree of control. Furthermore, the flexibility afforded the user for an IaaS service will generally be a lot higher as compared to a SaaS service. And with that higher degree of flexibility comes a higher degree of responsibility for security and compliance for the user.

While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and meet compliance obligations varies widely. For private clouds, it’s fairly straightforward to build controls into the cloud that enable compliance. For public cloud services, however, becoming compliant is a more challenging endeavor.

Another significant consideration is the specific set of laws that affect an organization. Some of the key compliance regulations, including HIPAA and the Gramm-Leach-Bliley Act, require careful analysis of the specific requirements, along with a solid understanding of the security controls put in place by the cloud service provider. And many public cloud service providers are not very transparent in providing information to their customers describing the specific security controls deployed.

Organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations and the set of controls provided by the cloud service provider. It is also worth noting that satisfying many compliance requirements will require assessing the control state for the cloud service at periodic intervals. For example, even performing vulnerability scans on public cloud services may be an issue, as some cloud services contracts limit the customer’s ability to do this.

Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you’re considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on “right to audit” clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now—caveat emptor!

Jim Hietala is vice president of security for The Open Group. He is coleading development of compliance and audit content for the forthcoming Cloud Security Alliance Guidance Version 2.