Comments on: Cloud computing – Security Implications: Compliance

By: Emmanuel Carabott

Emmanuel Carabott — Wed, 18 Aug 2010 10:24:05 +0000

I have no idea what will happen obviously. I would imagine either compliance will adapt and allow the service provider to take care of the compliance for their customers or the cloud environment will evolve into a better system that is more enclosed and allows complete access to the customer.

If I had to hazard a guess I think cloud service providers will try to push for compliance to adapt to their business model because if the customer is given more power on his cloud set up this will result in added complexity for the customer and there is the risk that most of the allure that people have for cloud computing will be lost.

By: David Moore

David Moore — Thu, 12 Aug 2010 17:32:03 +0000

“Even worse some compliances involve auditing as part of the compliance processes but if you do not have access to the low level logs you are unable to actually do those audits which are essential for compliance.”

I think this sort of article uncovers the Catch-22 nature of cloud computing, most especially with regards to compliance. “This damned if you, damned if you don’t” mentality surely doesn’t benefit anyone on the short or long run. I definitely agree that this kind of system needs revising, if not a complete overhaul.

By: Emmanuel Carabott

Emmanuel Carabott — Wed, 11 Aug 2010 10:58:32 +0000

Hi Jeremy,

You’re right obviously, as things mature they will become better at securing themselves; however, the main point of the article was not about the security of cloud computing but rather how that will affect one’s compliance obligations.

For example PCI prohibits the storing of Credit card numbers on business systems. Now logically cloud computing is effectively a huge system shared between parties, so if one party were to break this rule what would that mean to your compliance? Technically the system you’re using is non-compliant even though your business might not be the culprit.

Even worse some compliances involve auditing as part of the compliance processes but if you do not have access to the low level logs you are unable to actually do those audits which are essential for compliance.

In short some compliances might need revising to deal with the cloud computing reality or maybe cloud computing might need to open up more and give low level access to its customers to help them achieve their desired compliance. It’s a subject that requires some thought.

By: Jeremy

Jeremy — Tue, 10 Aug 2010 18:21:00 +0000

I agree with cloud computing still being in its development stages, but with the internet aging at an exponential rate, we’ll definitely be seeing some substantial progress within the field in the next five years or so. I wouldn’t be surprised if, by then, the security of cloud computing has jumped leaps and bounds ahead from where we are now. But then again, the ways to exploit it won’t be too far behind.

Definitely good points to think about with regards to security and computer compliance.

By: Emmanuel Carabott

Emmanuel Carabott — Mon, 02 Aug 2010 09:33:18 +0000

Hi Sue,

I guess there will never be a common answer between cloud providers; I mean most likely everyone of them will approach each aspect in their own way. Still as cloud services become more popular I think we can expect that some things get standardized across providers.

In any event even when that happens I would still recommend that anyone switching over to a cloud solution discusses these points with their prospective provider before making any commitments.

By: Sue Walsh

Sue Walsh — Thu, 29 Jul 2010 06:45:55 +0000

You pose some EXCELLENT questions. I hope they will be investigated because I as a business owner (albeit a very small one) am very interested in the answers!