Blog

Regulations and standards such as HIPAA, SOX and PCI-DSS, require many organizations to evaluate their data protection measures.  Moving to the cloud has a direct impact on an organizations ability to comply with these regulations.  Let’s talk about two of the more challenging characteristics of cloud computing that can give organizations headaches while trying to maintain compliance.

Compliance

Practically every regulation requires organizations to protect their physical and informational assets. This starts with an implied ability to control and prove some fundamental questions:

• What information is stored on a system.
• Where is the information stored?
• Who has access to the system?
• What all can they access?

These all suggest a level of ownership over the assets in question – and here is where cloud compliance issues rear their ugly head. In a public cloud environment the first question is easy to answer; the other 3, however, are not as straight forward.

As for where the information is stored, in a typical corporate colocation or data center the physical location of disks and servers is known and can be proven during an audit. Shared service providers can generally tell you which systems are being utilized and identify the data location for audit purposes.

Concerning virtualization and disaster recovery it is generally a straight forward process to identify the physical resource where your information resides.  The cloud however, by definition, does not function this way at all – and this presents the first major cloud compliance problem.

The actual location of the device housing your information in the cloud is not something cloud hosting providers currently make available.  This doesn’t mean the provider is incapable of doing it, but that the market has not driven them to the point of providing this service.  Frankly this type of location awareness is in conflict with the purpose of cloud computing.

What is the resolution? Ensure that the provider you use is able and willing to work with you to provide, and prove, any data location restrictions you may have.

System Access

The second compliance related issue for the public cloud is the who, what, and why of system access.

• Who can access the system?
• What can they access?
• Is the access appropriate?

First: the who.

While you can always control your side of this equation, the provider has staff that can access the systems as well.  The primary concern here is in regard to the administrators, both systems and application, at the providers site.  Essentially you need to know who they are.

Second: the what.

When looking at what they can access, the concern is about the providers ability to access underlying infrastructure or application that your information is stored on. Is the access through the hypervisor (e.g. Infrastructure as a Service) or at the application level (e.g. Platform and Software as a Service)?

Third: the why.

This is Security 101: Access should be based on a job role, and a clear description of the level of access needed should be provided. This is an issue that also arises in shared hosting facilities.  The main difference is that cloud providers are not in a position to meet requirements of many compliance documents where shared hosting facilities are mature enough to have that capability.

Whats the resolution? Ensure that the provider you use is able and willing to prove they use separation of duties for administrative functions, and that they have the ability to audit who had access to a system and information and when.

The industry as a whole needs to work on certifications for public cloud providers as none are in existence today.

Dénouement

Compliance is largely about ensuring proper controls over who has access to assets, what level of access they have and how those levels are maintained. The way these things are typically ensured is through audit.  The relative immaturity of the public cloud environment makes audits very difficult and sometimes impossible.

The public cloud offerings need to mature to become more standards compliant and provide contractual language to assist customers in meeting compliance requirements.  Today we are not there but continued adoption will hopefully spur meaningful change in the compliance space.

—

About Iris Professional Services
Iris Professional Services is a computer consulting company operating offices in both Seattle and Portland. Businesses throughout the Pacific Northwest rely on our expert IT consultants for all their network IT support services.