February 24, 2010, 3:31 PM — There's no doubt that cloud computing is dominating today's IT conversation among C-level security executives. Whether they're lured by its compelling cost savings or its perceived advantages, security leaders are probing the capabilities and restrictions of the cloud. At the same time, security and compliance concerns remain issues holding large enterprises back from capitalizing on the cloud's benefits.
Some of the most frequently asked questions include: Is using cloud computing services advisable for applications and data subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?
Not surprisingly, any answer to these questions has to start with, It depends. Coming to a meaningful conclusion requires context. Is the cloud service public or private? The company's specific compliance requirements are also key to understanding whether compliance can be achieved.
Blanket statements regarding compliance and the cloud aren't possible because vendors can create different types of cloud services and infrastructures for single enterprises or groups. A recent National Institute of Standards and Technology (NIST) paper recognizes three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). NIST further describes four different deployment models: private cloud, community cloud (shared among several organizations), public cloud and hybrid cloud (part private, part public or community).
The different service and deployment models allow varying degrees of customer control and place different security and compliance obligations on both customers and service providers. In private clouds, for example, the organization building them is free to apply whatever set of controls it sees fit. In public, community or hybrid clouds, the customer organization does not typically have this degree of control. Furthermore, the flexibility afforded the user for an IaaS service will generally be a lot higher as compared to a SaaS service. And with that higher degree of flexibility comes a higher degree of responsibility for security and compliance for the user.
While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and meet compliance obligations varies widely. For private clouds, it's fairly straightforward to build controls into the cloud that enable compliance. For public cloud services, however, becoming compliant is a more challenging endeavor.