Spotlight on Cloud Computing: Keeping Tabs on Your Data’s Address

Cloud computing was among the most talked about – and certainly the most hyped – technologies of 2010. The overwhelming majority of observers and commentators on the IT industry believe that the cloud will grow further in importance in 2011 and 2012.

According to the 2010 cloud security report by Jonathan Penn of industry analysts Forrester Research, a return to economic growth will increase, not decrease the importance of the cloud over the next few years. Forrester believes that cloud computing will affect most segments of the global IT industry, including outsourcing, computer services, hardware and software. Security and compliance, however, remain significant obstacles to using the cloud, especially among larger enterprises and public sector organizations.

In a survey of IT buyers, Forrester found that security and data privacy concerns were cited as barriers to moving to cloud computing by 50% of respondents. A further 22% pointed to “specific compliance requirements that service providers can’t meet” as reasons for not moving to cloud computing.

Business managers, as well as IT services vendors, and even some analysts and consultants, often group together regulation and compliance with information security.

In practice, although there will be a degree of overlap between security risks and threats to compliance – and some of the problems can be addressed using similar tools – there are enough differences to make regulatory compliance a separate question for information security professionals working with the cloud.

Although good security should be part of any and every cloud computing project, regulation and compliance means understanding the liabilities that can arise, not just in the event of a data breach or security failure, but by breaking industry rules or national laws, even through the simple act of moving a business process, application or, above all, data to the cloud.

The Globalization Quandary

According to Chenxi Wang, another analyst at Forrester, “support for regulatory, regional, or internal policy compliance is arguably the weakest aspect of cloud computing.” Software-as-a-service companies usually lack thhe data-level controls that businesses need to manage compliance. Such controls are easier to implement in infrastructure-as-a-service cloud models, but Forrester cautions that those cloud services are not yet available in enough countries to ensure that businesses can store data in the jurisdiction of their choice.

At the same time, there are relatively few regulations or laws that apply only to cloud computing, or that even specifically single out the cloud as a type of IT service. Hardly any regulations, with the exception of the newly released PCI DSS 2.0 standard for payment cards, and the US-based HITECH Act for HIPAA (health data), even make specific mention of the cloud or third-party services.

With only a very few exceptions, however, if there is a compliance breach, it is the company that owns the data, not the company that is hosting it, that will end up in court or be fined by regulators.

Where’s My Data Gone?

The main risk to businesses lies in a breach of existing regulations, rather than in breaking rules that relate specifically to the cloud. Often this is caused by business managers rushing to deploy cloud services, says professor John Walker, a member of the ISACA Security Advisory Group.

“The rush to engage [with the cloud] is driven by business requirements, and they are not looking at how to engage properly”, Walker says. “There are examples where organizations have outsourced, and found themselves in the cloud without even realizing it. So you have to have a clause in any contract that says that the cloud provider or outsourcer can’t outsource again… you may think you know where your data is, but it has disappeared.”

One of the most fundamental problems of compliant cloud computing is where data is stored. As cloud computing is based on virtualization, it is very easy for service providers to move data between physical servers, data centers or even countries. This separation between data – or applications – and the physical infrastructure underpins much of the cloud’s flexibility and cost efficiency. But it also creates a serious problem when it comes to data protection and compliance.

According to David Cearley, of industry analysts Gartner, concerns about compliance and regulation, and specifically the impact of storing data or running applications on shared IT platforms, will cause some businesses to opt for private clouds over public cloud computing infrastructure.

Other organizations will turn to ‘community clouds’, open to a smaller set of users such as those in government or healthcare, to better manage compliance. Cloud providers, he says, will start to offer more “course-grained” security measures, such as the physical separation of different customers’ data, in order to address some of the concerns raised both by regulations, and security risks.

In particular, cloud service providers will need to be more specific about the measures they take to separate clients’ data, applications and virtual machines, and the access the provider’s own systems administrators have to customers’ workloads.

Until such points are addressed, businesses and public sector organizations need to be cautious about their approach to cloud computing, suggests Seamus Reilly, a director in the technology, security and risk services practice at Ernst & Young.

“In terms of the regulatory framework, very little has changed as a result of cloud computing”, he says. “Moving away from the hype, it is nothing more than another form of outsourcing, and what we’ve learned from outsourcing is equally true in the cloud.”

“It is important not to view the cloud as dramatically different from the technology that has been around for decades”, agrees Francis Ofungwu, head of security strategy at Rackspace, a hosting and cloud services provider. “The cloud allows us to create efficiencies with available technology by making computing resources more cost effective and much more scalable. But the current laws, regulations and legislations that govern the way we deliver services in the managed hosting world still apply in the cloud.”

This means that the organization that owns the data still needs to be able to answer questions about where it is stored, and how it is handled. “Where data resides, and whether it can move across jurisdictions, is key”, cautions Ernst & Young’s Reilly. “To answer ‘it is somewhere in the cloud’ is not acceptable anymore.”

Such questions are especially difficult for multi-national organizations to answer, as they might do business in markets such as Germany, which has highly restrictive regulations, or the US and Australia, where rules are more flexible.

At the same time, as Forrester warns, cloud service providers vary quite widely in their ability to tell customers where their data is. Microsoft and software-as-a-service vendor Salesforce.com are “relatively forthcoming” about data center locations, points out Chenxi Wang. Google, according to Forrester’s analysis, is not.

Although there are some cloud providers that claim some regulatory compliance, especially with PCI DSS, the lack of clarity on data locations could force businesses to do one of two things. Firstly, they could restrict their use of cloud computing to low-level tasks that do not involve personal, medical or financial data. Secondly they could contract only with services that can meet specific requirements about their data handling or data center locations. This could force organizations that want to use the cloud to turn to (often) more expensive and less flexible private cloud or dedicated hosting contracts, in order to ensure compliance.

Keep Sensitive Data Close

Another alternative might be to rewrite or reconfigure applications, so that sensitive or regulated data is kept on separate cloud-based or even internal servers, while non-sensitive data is moved to a cheaper location. Aside from the cost and complexity of altering applications, such moves create the risk of data duplication, and could still give rise to a regulatory breach.

Even where organizations are able to separate sensitive and non-sensitive data in their core business systems, there is still a risk that data might be moved to a non-compliant cloud service through a secondary application, such as an email server or a back-up utility. IT departments need to be especially careful if they are replacing in-house systems for, say, back-up – that have been tested for compliance – with a cloud-based solution that has not.

“It is a question of educating the business in the risks of inadvertent non-compliance”, says Rupert Chapman, an expert in cloud computing at PA Consulting Group. “The CIO should help the business understand the implications of the decisions they make. People are being conditioned by the sorts of [cloud] services they use at home, perhaps for storage or sharing. They can become frustrated by controls on the services they use in the workplace and use a credit card to sign up for something in the cloud, without realizing that they are breaking regulations.”

The risk of inadvertent non-compliance can be reduced, if not entirely eliminated, if an organization adopts a cloud computing strategy, including a list of approved suppliers and rules governing which applications, and which data types, they can host.Creating a cloud strategy, and ensuring that the business is aware of it, is a task for the CIO and the CISO as much as it is for compliance teams. As long as most laws and regulations have yet to catch up with developments in the cloud, awareness raising and education remain the best way for organizations to ensure that they stay compliant.