Cloud computing – Security Implications: Compliance
In the previous articles on cloud computing we considered the security implications in choosing a provider as well as what needs to be done to have security in the cloud. Next we will discuss what cloud computing means to our compliancy issues.
Cloud computing can be a tricky situation for compliance and in certain cases could make true compliance impossible. Consider a scenario in which your data resides completely in the cloud and you get a compliance requirement to make sure your data is only available to certain people exclusively. Well in most cases access control is actually under the control of the provider so one cannot be sure who has access to that data and who doesn’t. Furthermore we certainly do not control physical access to that server and that’s one aspect we definitely cannot secure ourselves.
Things can get even trickier when you have data that transits between your own servers and cloud services. In such a case one will need to ensure compliance both on their site as well as in the cloud and it is very likely that these two will require completely different approaches and policies.
Worse yet would be forensics and auditing as with cloud computing you might not get full access to logs making such tasks all but possible. Another nightmare scenario is when certain servers share data with multiple companies and this scenario can be quite common when considering SaaS (Software as a Service). How will this affect your compliance? Whilst I’m no lawyer, I can think of some possible issues one might face.
- Will it be the service provider who needs to achieve compliance or your business?
- If it’s the service provider and one of his customers breaches PCI (e.g. saves credit card data in a word processor document within the cloud) will all companies using that service be deemed not to be compliant?
- If you are the one who needs to achieve compliancy how are you going to audit your business residing in the cloud?
- How will auditing work? Will all the service be audited as one entity or will there be logical separation on the data depending on who is using it?
- Will an audit exercise require the permission of everyone using the service even if some are not seeking that compliancy?
Ultimately the cloud is still young. I am sure that as time goes by these issues will be investigated in more depth and clear guidelines will be drawn. Right now there doesn’t seem to be a clear answer, as there are people claiming that the cloud would make compliance easier, others say that it offers the same level of difficulty while there are those who say that it’s impossible. However what is really important is that if your business needs to achieve compliance with any standard make sure you take these points in consideration if you plan to run services in the cloud.
You pose some EXCELLENT questions. I hope they will be investigated because I as a business owner (albeit a very small one) am very interested in the answers!
Hi Sue,
I guess there will never be a common answer between cloud providers; I mean most likely everyone of them will approach each aspect in their own way. Still as cloud services become more popular I think we can expect that some things get standardized across providers.
In any event even when that happens I would still recommend that anyone switching over to a cloud solution discusses these points with their prospective provider before making any commitments.
I agree with cloud computing still being in its development stages, but with the internet aging at an exponential rate, we’ll definitely be seeing some substantial progress within the field in the next five years or so. I wouldn’t be surprised if, by then, the security of cloud computing has jumped leaps and bounds ahead from where we are now. But then again, the ways to exploit it won’t be too far behind.
Definitely good points to think about with regards to security and computer compliance.
Hi Jeremy,
You’re right obviously, as things mature they will become better at securing themselves; however, the main point of the article was not about the security of cloud computing but rather how that will affect one’s compliance obligations.
For example PCI prohibits the storing of Credit card numbers on business systems. Now logically cloud computing is effectively a huge system shared between parties, so if one party were to break this rule what would that mean to your compliance? Technically the system you’re using is non-compliant even though your business might not be the culprit.
Even worse some compliances involve auditing as part of the compliance processes but if you do not have access to the low level logs you are unable to actually do those audits which are essential for compliance.
In short some compliances might need revising to deal with the cloud computing reality or maybe cloud computing might need to open up more and give low level access to its customers to help them achieve their desired compliance. It’s a subject that requires some thought.
“Even worse some compliances involve auditing as part of the compliance processes but if you do not have access to the low level logs you are unable to actually do those audits which are essential for compliance.”
I think this sort of article uncovers the Catch-22 nature of cloud computing, most especially with regards to compliance. “This damned if you, damned if you don’t” mentality surely doesn’t benefit anyone on the short or long run. I definitely agree that this kind of system needs revising, if not a complete overhaul.
I have no idea what will happen obviously. I would imagine either compliance will adapt and allow the service provider to take care of the compliance for their customers or the cloud environment will evolve into a better system that is more enclosed and allows complete access to the customer.
If I had to hazard a guess I think cloud service providers will try to push for compliance to adapt to their business model because if the customer is given more power on his cloud set up this will result in added complexity for the customer and there is the risk that most of the allure that people have for cloud computing will be lost.