Can you trust your public cloud provider?
Secure public cloud services aren't a pipe dream; service providers just have to connect some of the dots. How close are we to regulatory compliance in the cloud?
In a recent speech to a roomful of large organization IT professionals, I was asked to explain private cloud computing. During our conversation, however, the topic very quickly turned toward public cloud.
This happens a lot, particularly among IT pros who don't yet fully understand these two concepts. Yet it was the emotion stemming from these differences, not the technical differences themselves, that struck me as notable. To make a sweeping generalization, large organization IT trusts no one.
Is a vendor assertion of compliance enough?
Any finger-pointing, however, appears to be equally directed toward both legitimate potential risks and the very vendors that supply a large organization's IT needs.
It is this mindset, in my opinion, that places so many large organizations at odds with public cloud. No matter which major form of public cloud you are considering, the internal cultures and processes of large organizations are poorly suited for extension into the cloud.
A major component of that misalignment has to do with the (very legitimate) concerns of data security and data ownership, along with some industry and governmental regulations. Certain established regulatory and security policies were created long before the notion of public cloud entered IT's collective eye. In many cases, these prohibit the storage, processing or transmittal of data across assets not owned by the company.
Ignoring for a moment the gory details of security policy or regulatory compliance requirements, think for a minute about how this hurdle might be overcome. Listening to the individuals in that room -- and many others just like it -- you'll hear the same arguments:
- "We can't ensure data security in a cloud service."
- "We can't ensure that we're meeting regulatory compliance in a cloud service."
- "We can't ensure inappropriate accesses are prevented in a cloud service."
These individuals are absolutely valid in their assurance concerns, as they all have security policies to meet and regulatory compliance to fulfill. At issue, though, are the mechanisms by which said policies can be met.
Dreaming of regulatory compliance in the cloud
Few in our industry can say that they are experts at regulatory compliance; most know that if they follow a specific set of agreed-upon steps in configuring and maintaining systems, they'll get in a good grade when the auditor walks in the door.
Yet achieving security and compliance fulfillment can be a contractual thing, as well as a technical thing. Consider a situation where your business falls under the rules of some regulation like Sarbanes-Oxley (SOX). You'd then have a series of activities necessary to maintain compliance for each device and service: Turn on the firewall, configure Event Log settings, restrict rights and permissions, and so on. Completing these steps and assuring they remain unchanged means achieving fulfillment.
But who's to say another party couldn't complete these activities on your behalf? Who's to say that that same party couldn't legally and contractually assert said completion? If this external party provided a legally- and contractually-binding assertion of SOX fulfillment, would that be enough to meet the needs of your auditors?
You're already doing this in several ways. You hand IT administration tasks to outside contractors who work within your walls; those people aren't employees. From a legal perspective, that company/contractor relationship isn't a far cry from the relationship between company and cloud service provider: They're performing a service while giving you an assertion of fulfillment vis-à-vis their contract with you. In return, you give them the keys to your applications.
In any case, some level of auditing is obviously required. In the cloud scenario, one assumes it would be completed by the vendor's auditors with the results federated to yours. If every auditor is equally certified and follows the same rules -- which, in a perfect world, they do -- this federation of auditing could be considered valid fulfillment.
We might not be fully there yet, though; by nature, security and regulatory compliance are always a trailing function. That said, the seeds of this future state are already being sewn. In January of this year, the National Institute of Standards and Technology (NIST) released its first special publication on cloud computing. Still in draft, this document outlines the NIST's definition of cloud computing while delivering very high-level guidance for entities considering moving toward or away from public cloud services.
In the end, is a vendor assertion of compliance enough? Possibly. One hopes such assertions may soon provide the necessary legal backing that facilitates cloud computing adoption in large organizations. The economics of that movement are already well-established. All that remains is the trust.
ABOUT THE AUTHOR:
Greg Shields, Microsoft MVP, is a partner at Concentrated Technology. Get more of Greg's Jack-of-all-trades tips and tricks at www.ConcentratedTech.com.