January 30, 2009, 11:22 AM — Using the cloud for data processing and storage may have its advantages in terms of simplicity and cost, but ensuring regulatory compliance will not be nearly so simple.
What it all comes down to, ultimately, is that the user organization is responsible for figuring out who is doing what to its data and requiring assurances about the data staying in compliance.
"In certain cases, compliance will be impossible," predicted Jim Haskin, senior vice president at Websense Inc. , a security services vendor in San Diego. "It is difficult to take full responsibility for who can access data, who sees it and how it is stored, since the premise of the cloud is that customers don't necessarily need to know or care where their data is," he added.
"As enterprises start to run their entire networks on the cloud, existing certifications [such as Gramm-Leach-Bliley, etc.] start to break down," added Jonathan Bryce, co-founder of Mosso, the cloud division of Rackspace Inc. , a hosting firm in San Antonio. "The certifications assume that the enterprise controls everything, and it's all located within their office building."
But some observers make the point that the cloud doesn't necessarily complicate compliance issues. "The concept of auditing is to track everything that goes on, whether it's across the cloud or across multiple data centers of the same firm -- tracking is no different no matter where the various components are," said Mike Karp , senior analyst at Enterprise Management Associates Inc., an enterprise IT consultancy based in Boulder, Colo.
In fact, various sources agreed that regulatory compliance is often possible with cloud computing, although it takes special effort. As noted by Chris Day, senior vice president at Terremark Worldwide Inc. , a cloud service in Miami that offers what it claims is a fully compliant cloud, "There is no magic solution." The basis of Terremark's compliance is that Terremark claims to know where the client's data is and what parts of the network it passes through, even if that complexity is invisible to the client.
That said, each separate compliance environment requires specific attention, Day added.
Compliance environments that experts cite as important for cloud computing included auditing-related standard SAS 70, Payment Card Industry Data Security Standards (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA.)
SAS 70 refers to "Statement on Auditing Standards 70: Service Organizations," issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). According to Judith Sherinsky, manager of audit and test standards at the AICPA in New York, "SAS 70 applies when an audited entity sends data to a service organization, which does something to that data and sends it back to the user, who uses that data in its financial statements." An example is if corporate inventory data is sent to a cloud-based data center where a total valuation will be assigned to it -- a valuation that will later show up in the corporation's annual report.
Compliance with SAS 70 is fairly involved. It requires the following components, Sherinsky explains. Whichever vendor or entity is managing the cloud has to be able to describe what is happening, where the information comes in, what the vendor does when it gets the information, how it gets back to the users, the controls over the processing of the data and, most importantly, what is happening to the data when it gets to the cloud.
So, the basis of SAS 70 cloud compliance, Sherinsky explains, is that if there are material numbers coming from data that has been stored or in any way acted upon by a cloud vendor, there needs to be a full understanding of what's going on and who's doing what. "Ultimately, we say that the management of the user entity is responsible for their data, and they need to know what is going on with their data, or hire somebody who does."
With SAS 70, "you are building a control framework that your auditor feels is appropriate," added Day at Terremark. "For instance, SAS 70 does not talk about encryption, but I can make encryption part of my audit framework, and SAS 70 will show that I am doing it."
Bryce at Mosso noted that compliance with Sarbanes-Oxley (concerning corporate financial controls) and Gramm-Leach-Bliley (concerning, among other things, banking privacy) can be incorporated into SAS 70 compliance.
Additionally, "one of the benefits of having SAS 70 is that it is seen as an operational certification to help satisfy HIPAA requirements," Day said. "As a HIPAA-regulated organization, you have to ensure that all your business partners are also HIPAA compliant. They like to see SAS 70, since it checks a lot of things on the list."
Compliance with PCI DSS is complicated by the fact that part of the processing of credit card transactions must take place within the merchant's point-of-sale system, even if the rest takes place in the cloud.
"There are two components, ours and the customers'," Day said. "We go through annual audits to make sure that we meet all service provider criteria for PCI compliance, but that does not mean that the customer is PCI compliant. The customer is starting ahead by using us, but they still have to add their own controls and technology."
PCI responsibilities of the cloud provider include firewalls, intrusion detection, disaster recovery, physical controls and appropriate segmentation of staff duties, Day noted. Servers handling PCI data should be in a separate room with solid walls and a monitored door, rather than being placed in the main floor of the data center with the other servers, he indicated.
However, the customer-side application has its own requirements, including storing identifying card information no longer than is necessary to process the transaction. "But if you do those things and you are on [Terremark's] baseline, you're going to get to compliance in a relatively straightforward manner," Day said.
"We can certify that the memory is cleared out," said Bryce at Mosso. "But the specification also says that the place where the data is stored can only be accessed by you, and servers that you control are locked down." But in the cloud environment, servers may be shared by multiple clients, and even if they are not, there remains the question of whether the client or the cloud vendor controls them, he noted. "It's a gray area," Bryce said.
"HIPAA is a big monster, with a lot of facets," noted Day at Terremark. "I have to be able to warrant to customers that they are in a HIPAA-compliant environment, that the environment is suitably secure both physically and logically, that the data is protected, and that we have controls in place to keep people from walking in and picking up a hard drive containing patient data.
"But customers still have an obligation to encrypt the data and ensure that the data is handled properly," Day added.
Day noted that encryption is not absolutely required under HIPAA, but if there is no encryption, then there must be other mitigating controls such as physical security to prevent unauthorized access. Personal data sent over public networks must be encrypted, however. It is also necessary to log access and validate who has access, and do periodic reviews to make sure that those people who do have access have a good reason to be viewing the data, Day noted.
"The biggest violations result from people getting sloppy as to who can access patient records," he noted.
Paul Horvath, chief technology officer at TC3 Health LLC in Costa Mesa, Calif., said he was able to put together a HIPAA-compliant cloud application that looks for fraud and billing errors in backlogs of health care insurance payment claims. He said he chose to use Amazon's cloud service to avoid investing in the amount of hardware it would take to analyze 20 million claims at a time. But to ensure HIPAA compliance, he strips out all "protected health care information" before uploading the data, so that only transaction data reaches the cloud.
"But we also encrypt the data, and we would have been compliant just from doing that," he said. Horvath said that he saved $500,000 over the cost of acquiring the necessary hardware, licenses, power and cooling, by using the cloud.
A huge piece of work
Whatever regulatory environment is targeted, cloud-based compliance is nearly always a nontrivial task.
For instance, "first we document everything," said Martin Dubois, chief counsel at Taleo Corp. , a vendor in Dublin, Calif., that offers cloud-like human resources services. "Whatever we do -- be it encryption, access controls or separation of duties so that no one individual can control the process from beginning to end -- it is documented. When we code an application, we make sure that the one who wrote the code is not the one who reviews the code. Every week, we have several compliance audits by customers. With SAS 70 reports, they can see the compliance for themselves."
But some forms of compliance may remain elusive in the cloud. "It does not work where you have artificial restraints imposed by legislation," said Alistair Croll, analyst at Bitcurrent, a research firm in Montreal. "France, for instance, insists that certain types of records stay within France, so you cannot use Amazon in that situation, since you cannot guarantee where your data will be stored."
As more companies turn to the cloud to save money and gain flexibility, there's no doubt these and other compliance issues will continue to be raised.
Lamont Wood is a freelance writer in San Antonio.