LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Seeking compliance in the cloud


By David Worthington
July 9, 2009 — 
Cloud computing can make it easier for developers to meet an organization's compliance requirements, but it can also introduce new risks and run afoul of regulations that govern data, a panel of experts told SD Times.

They recommended that an organization document what processes cloud providers have in place to secure application data and safeguard privacy; communicate its requirements for applications to providers; understand how regulation affects development in external clouds; and know what liabilities apply if something goes wrong when it is no longer the primary custodian of data.

Surprisingly, cloud providers can offer greater control and visibility of IT assets than on-premises systems, said Cass Brewer, founder of Truth to Power, an online information governance research community.

In the cloud, every action is an invocation of a service and can therefore be monitored, logged or even rolled back, explained Peter Coffee, director of platform research for Salesforce.com. "It provides a big step in the right direction towards achieving compliance…It's auditable, instead of being a scavenger hunt through incredibly heterogeneous IT environments, which most organizations are using today."

Important business processes exist in traditional enterprise IT, which are not governed at all, he added. For instance, employees might exchange data by attaching spreadsheets to e-mails. In that instance, achieving compliance is difficult because there are "an amazing number of places" where that data can go, as well as poor specification and auditability of what actions where performed by whom, he explained.

"You can't even dream of getting a snapshot of a compliance inventory in the traditional IT model," Coffee said. "You don't end up with residual state on network edge devices in cloud. That is worth an enormous amount," he added.

However, the lauded benefits of cloud computing might be out of reach for organizations that operate in highly regulated industries.

Approaching the cloud
Companies should do legwork before they approach the cloud to understand their own compliance requirements and how they may conflict with what the provider offers, said Chenxi Wang, a principal analyst at Forrester Research.

Secondly, they should produce a feasibility study based on their compliance requirements to see if they impede moving IT to the cloud or not, she said. "They need to communicate requirements clearly to vendors and know what they are asking for.

"A vendor won't do compliance for you, and you are ultimately responsible to work with the vendor to make sure that the outsourcing relationship does not violate a compliance requirement," she added.

A lot of that risk of falling out of compliance is dependent upon what type of cloud an organization adopts, whether it is under private control or public, or a hybrid of the two, said Marne Gordan, governance, risk and compliance market manager for IBM Tivoli. "An organization is responsible for that data no matter where it is resident."

Private clouds remain behind the firewall and are governed by the organization.

Even external clouds differ. They could be Infrastructure as a Service like Amazon, or fully realized services like Salesforce or other packaged offerings, said Truth to Power's Brewer. "How companies approach [internal] control, compliance and risk is incumbent on [the] nature and configuration of what it is."

Once application data is in the cloud, it can reside across multiple data centers in many locations. Applications may work as seamlessly as ever, but laws that govern data are far from being uniform.

An organization should involve its compliance officer, general council or outside representation to determine laws and regulations from local, municipal and global governments before it decides to use a public cloud, Gordan said.

Just dealing with EU member states is complicated, she said. "Some laws are so different that some things you are required to disclose in one country are forbidden in another, and you cannot export data in others," she said. "Where is the border in the cloud?"

Security, privacy and contracts
Regulated organizations need to secure data and are responsible for it no matter where it resides, Gordan said. Cloud data centers may have excellent physical security, but cloud computing can "blur the line" between who is a trusted "insider" for handling data, and who is outside of the organization, she added.

"In terms to access, where do they sit in an organization?" said asked. "Cloud administrators have root access…Are they trusted insiders in your organization? How do you account for those individuals?"

The primary custodian of protected information within an organization should be responsible for understanding a cloud provider's security protections, Gordan said. "You can partner and outsource under the U.S. HIPAA [Health Insurance Portability and Accountability Act], but you cannot outsource responsibility."

Additionally, an investment in the cloud may receive more scrutiny in enterprises than internal IT would, said Brewer.
 
"The committees evaluating investment in a service may be different than internal committees formed around developing internal IT process. Depending on the risk profile of the organization, there might be a different focus on compliance, and they might hold feet to fire more than internal departments as well," she explained.

Aside from receiving greater scrutiny, cloud data centers may also be more secure than corporate servers, said Miko Matsumura, vice president and deputy CTO at Software AG. "People used to think it was safer to put your money in a mattress."

If regulatory requirements about securing application data are unclear, organizations should consult compliance experts and never rely upon a literal reading of a statute, said Salesforce's Coffee.

Contract management is key, Gordan said. "There must be a good security assurance [on the] part of all parties."

Forrester's Wang recommended an emphasis on application security, data protection, identity management, log management, physical and personnel security, and vulnerability management—things that companies usually have full oversight over internally.

Further, organizations should seek assurances about personnel certifications and documentation of the service platform, in addition to contractual assurances, Brewer said.

There must also be a clear delineation of liability to determine who is held responsible if something goes wrong, Wang said. A resource action for every level of concern should be laid out in the service agreement, such as financial compensation or early exit from a contract, she added.

Other terms should cover the ownership and rights associated with intellectual property, she said. "There is a clear delineation in SaaS [Software as a Service], but PaaS [Platform as a Service] is a little more of a gray area."

Lastly, end-of-contract conditions should be clear, such as the packaging of data in a usable fashion, and having providers erase applications and data in their environment in a timely manner ,Wang said.

Companies also need to be aware of the impact of national privacy laws on distributed computing environments, said Brewer. Data can travel from one country to another where privacy laws are more lax, or an application may transfer its data to a service in a different data center, she explained.

'Not an all-or-nothing proposition'
While it is true that a risk assessment might preclude an organization from using a cloud provider for some work, cloud applications are not a monolithic choice of "all-or-nothing data in cloud," Coffee said.

"Cloud applications can do an awful lot without having 100% cloud resident data," he said. Developers can still take advantage of external clouds by using programming workarounds, such as anonymous identifiers (a customer ID) that can be re-associated with data that is stored on premises, he explained.

"Simply look it up at your end of the wire when you are viewing or generating reports," Coffee said.

People are doing things in complicated ways to access archived data in the cloud, said Software AG’s Matsumura. However, it may be easier in the near future, he said.

Cloud providers may end up offering platforms that are compliant with regulations and still able to keep covered data in the cloud as soon as this year, he said. "There will be certification and assurances at the corporate to corporate level; ISO 9000 kind of things.

"My message for application developers is that if your application involves complex regulatory data, keep it out of the cloud for now. You'll be building stuff someone else is building in parallel, and it's not economically worthwhile for you to build," he said.

Coffee demurred at that suggestion, stating that no cloud provider can ensure compliance for information-driven business processes when employees must enter data into an application.

"Saying I have a HIPAA-compliant cloud is like saying that I have a crash-proof car," because, procedural issues such as making sure that a paper form is not left out on a desk make it impossible for a cloud provider to ensure end-to-end compliance for processing, he explained.

"At least in our cloud, nothing will prevent them from constructing applications that are HIPAA- or PCI- [Payment Card Industry] compliant, [a] process that includes our technology as part of the [processing] chain," Coffee said.

"One of the most important concepts to get across is that compliance is a combination of knowing what information assets you are responsible for managing whether you originate them or not, what processes touch those assets, and who has what roles in those processes," he said. "After you've done all of that should you start worrying about cloud aspects versus other aspects."


Related Search Term(s): cloud computing


Share this link: http://www.sdtimes.com/link/33602
 

Comments

07/09/2009 01:32:50 PM EST

good job

United States dad


07/09/2009 03:28:52 PM EST

"At least in our cloud, nothing will prevent them from constructing applications that are HIPAA- or PCI- [Peripheral Component Interconnect] compliant, [a] process that includes our technology as part of the [processing] chain," Coffee said. PCI stands for Payment Card Industry, not Peripheral Component Interconnect. Better not to spell the acronym out than to spell it out incorrectly.

United StatesAcronym Police


07/09/2009 04:04:12 PM EST

This is a nicely written article. One issue that was missed, but lightly danced around, is "Data Escrowing" for SAAS and Cloud applications. Escrowing is basically a contract between three parties.. the provider... the customer... and an independent third-party escrow company. These types of arrangements are complicated. In short... the third-party stores a copy of the providers source code AND database information for the customer. If something "bad" happens (the provider goes under, the service is down for a long period of time, etc) then the third-party will release the source code and customer data, in some preconceived methodology. We, as a technology liability consulting firm, see some potential problems with escrowing. Without going into too much detail... your data is still housed by third-party groups that you don't control, off-site, away from your day-to-day operation. And escrowing does not remove the problem of your data being housed by a group that is solely focused on the arrival of your next payment. Now.. we are absolutely not saying that Cloud / SaaS is bad. We, like the author of this article, are simply saying... do your homework first. Sadien Staff Sadien, Inc. http://www.sadien.com

United StatesSadien, Inc. (Sadien.com)


08/13/2009 02:36:49 PM EST

I work for an ISV called RainStor that launched a cloud archive service a few months ago. We have focused on the business problem of application retirement initially by delivering a service that allows companies to preserve historical data from legacy applications in the cloud. However, we’ve also been asked by many customers, partners, commentators and analysts how our cloud archive service can be used for “SaaS data escrow”. We’re keen to understand in more detail why and how companies might use cloud archive services to keep a copy of the data within their SaaS applications so we’re running a survey. The survey is available at http://tinyurl.com/kl5l86 and we share the results with anyone who particpates.

United KingdomJulian Cook


Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading