This article originally appeared in the Jan. 2012 issue of Cloud Computing.
With more companies moving their networks into the cloud, a number of questions remain unanswered concerning corporate governance and regulatory compliance issues in cloud computing applications.
How safe is cloud computing for companies with sensitive data to protect?
Is it possible for companies to meet regular corporate governance standards in the cloud when many regulatory compliance specifications require data segregation which is seemingly at odds with cloud computing infrastructures?
How true is the generally held belief that because the Internet is unsafe, cloud computing is unsafe? And are there regulatory principles in place targeted at cloud computing users?
Among the drivers for this debate are the best practices recommendations and requirements of the King III Code of Governance Principles for South Africa, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry (PCI (News - Alert)) standard and Sarbanes-Oxley (SOX) and other standards in the US.
Undoubtedly, the cloud computing environment places no less a premium on solid management and the maintenance of a culture of integrity-driven performance than any other corporate IT environment of the past.
It therefore presents similar governance and compliance challenges not only for companies, but also for governments, investors and many other stakeholders in the corporate world.
Unfortunately, there are those who believe compliance will be impossible to achieve within the cloud as companies cannot take responsibility for who accesses their data, who views it, and where (and how) it is stored since a basic tenant of cloud computing is that data can be held and stored “anywhere.”
They also point to the security challenges associated with insecure interfaces and APIs relied upon by cloud service providers for many of the management functions. As cloud customers continue to build on these APIs the complexities and risk continues to increase. And they highlight the risks associated with the high volumes of interactions associated with shared services in the cloud.
Cloud computing protagonists, on the other hand, say a key premise of regulatory compliance and good corporate governance is the integrity of the audit process. It’s a process required to keep track of all data components – whether they’re located in multiple corporate data centers or somewhere in the cloud.
They acknowledge that it’s a demanding process and special care is required to achieve success. There is no shortcut – no silver bullet – when it comes to ascertaining where a company’s data is stored and what networks it has passed through.
Probably the best route to security compliance is the hire of a third-party auditing firm capable of identifying cloud computing weaknesses through detailed observation of processes through “penetration testing.”
This will help to provide a platform from which to interrogate data repositories to meet compliance objectives such as the regular appraisal of management performance and accountability and the identification of incidents of administrative failures.
There is also a need to address breaches of legislation and internal processes while achieving greater value for compliance spend which, in turn, will improve stakeholder and regulator relationships and build more open communication channels between the two camps.
The first steps to be taken before attempting to meet these and other targets include a definition of the type of cloud computing services employed and the cloud infrastructure models involved.
Significantly, there is no “one size fits all” approach when it comes to compliance issues in the cloud. The corporate cloud computing environment must be clearly understood so that a comprehensive, best practices approach can be designed and adopted.
Essentially there are three cloud service types: Infrastructure-as-a-Service (IaaS); Platform-as-a-Service (PaaS); and Software-as-a-Service (SaaS (News - Alert)). And there are basically two deployment models – the private cloud and public cloud (ignoring any hybrid combinations).
Within these types and models, the levels of control afforded the user differ greatly. So does the auditor’s ability to effectively and accurately track data.
For instance, in private clouds, the number and type of controls are placed at the prerogative of the user and can vary from super-efficient to non-existent.
In a public cloud, while the user organization does not have much say over the controls in place, service provider reputations are at stake which generally help ensure a professional approach – limiting the risks associated with unauthorized access to intellectual property and customer information.
When it comes to service types, it’s accepted that greater control – and therefore regulatory compliance - is possible within an IaaS model compared to SaaS or even PaaS models. This is due to the ability of the user to deliver the key compliance requirement – data segregation – should the entire corporate computing infrastructure be offered as a cloud-based service (IaaS), preferably within the scope of a private cloud.
Why a private cloud? Because a private cloud makes use of dedicated hardware, it is comparatively simpler to segregate the data on separate servers and in separate virtual machines (VM). This allows businesses to maintain regulatory compliance while benefiting from cloud computing.
Significantly, many regulatory compliance specifications, while maintaining data segregation as a core requirement, do not specifically address how it is to be achieved within the cloud; either private or public.
Fortunately, the technology driving cloud computing is constantly evolving. As it advances, so many of the compliance and corporate governance concerns are being tackled and eliminated by global specialists.
For example, the SAS (News - Alert) 70 compliance environment (Statement on Auditing Standards 70) issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) can be made applicable to cloud computing environments.
In addition, a feature called File Classification Infrastructure (FCI) has been introduced on IBM’s (News - Alert) Windows Server 2008 (Release 2) designed to tag files carrying personal or financial information and other increasingly regulated data. All that’s needed is a workflow program to allow developers to use the data in cloud applications.
These and other imminent breakthroughs point to a future in which an organization opting for a cloud computing solution will have access to secure, fully compliant clouds featuring technology innovation and sustainable business ecosystem development with full regulatory compliance.
Edited by Stefania Viscusi