This article originally appeared in the April 2012 issue of Cloud Computing Magazine.
Enterprises look for application and data security regardless of where they reside. They also look for failover and disaster recovery capabilities in every premise-based, hosted or cloud based solution they evaluate.
Federal and state laws and industry regulations such as HIPAA and PCI (News - Alert) DSS require strict controls on what kind of data can be stored, who can access it and where it can be stored. It is possible to have much tighter control on access in fully premise-based solutions, but they tend to be costly, especially for SMBs when they need to maintain multiple data center locations for failover and disaster recovery.
Cloud service providers have geographically diverse data center locations that allow for load balancing, failover and disaster recovery. Most cloud-based solutions leverage the ability to share hardware and software resources across multiple customers to provide cost benefits to both service providers and customers. And yet, it is this very same ability that endangers compliance to the various regulations. One of the questions that arise is if it is the job of the cloud service provider or the client to be compliant. In this article we discuss some of the issues and difficulties for both service providers and clients face in obtaining cloud compliance and some possible solutions.
Cloud Service Providers
Large public cloud service providers provide generic cloud platforms that can be used for almost any kind of application that companies or even individuals would need. Because it is impossible for these service providers to know the kinds of applications and software that will be installed on their platform, being certified in all possible industry regulations and industry specific state and federal laws is unrealistic.
There are certain basic security and access restrictions that public cloud service providers build inherently in their platform. Most of the platform architecture is built around the use of Virtual Machines or VMs. Several VMs can run on a single physical machine. To the users accessing one of these VMs, it is the same experience as accessing any other remote machine in their own network or data center and can employ similar security measures as well. The access can be restricted to just a few people in the network or open to everyone on the Internet. What is missing for the users is the access to the physical box itself.
Private cloud service providers, on the other hand, can restrict their platforms to certain types of industries and can obtain at least some level of compliance to the regulations of that particular industry. However, where restrictions,such as access to the physical machine have to be limited to a select few people, have to implemented, even these service providers usually fall short.
Cloud Service Users
Organizations have to recognize that regardless of where the data or applications reside, it is their data and in the end, they are responsible for it. They need to do their homework on the cloud service providers and understand their SLAs. If those SLAs do not match up to the regulatory expectations, then they should not use those cloud service providers. If they find providers that have SLAs that live up to the compliance, organizations should still put plans in place for periodic audits. They would be well-advised to do so even if they own their own datacenters.
Organizations should be fully aware of the type of data that they own and what can and cannot be stored in the cloud. The better strategy may be to use a hybrid approach where critical data required for strict compliance like HIPAA reside locally, however; some of the not-so critical data and applications can be pushed to the web.
Cloud services are a long way away from being fully compliant with all the regulatory requirements. However, organizations can still benefit from them if they are able to differentiate between the types of data and applications that can or cannot be stored on the cloud and by negotiating the proper SLAs to ensure security and access. In the long run, though, as cloud services get more popular and more cost effective, it may be worthwhile for some of the regulators to revamp these regulations to keep up with in changes in data-center technologies.
Edited by Stefania Viscusi