The role of auditors is to hold businesses to well defined standards, and those standards just don't exist for cloud environments, says Chris Richter, vice president of security services for Savvis, who led a panel on cloud security. So auditors tend to err on the side of caution.
"They will be more strict because there are no clear policies for it," he says.
The rules will come with time, but they don't exist yet, so businesses need to be careful what data they submit to clouds and be sure data subject to compliance standards such as HIPAA, PCI and Sarbanes-Oxley can be provably handled within those standards.
"Auditors want to see the guts of the cloud," Richter says, and that is something many cloud providers don't allow. Many keep their physical architectures, policies, security, virtual LAN structure and other essential factors secret. "If they can't see how data flows, how VLANs are segmented, see how your data is partitioned from others', they won't OK it."
Complicating the issue is how identity and access management is handled so unauthorized users can't get in to corporate cloud resources, he says. "I'm not aware of anybody who's pulled off a really effective identity and access management in the cloud," Richter says.
That said, he thinks it"s possible to use private clouds for even the most sensitive information. "The most robust private cloud I am aware of, yeah, I would be confident putting my most valuable data there," he says. Part of that is the level of control the business retains over the data, the applications and the infrastructure in a private cloud. "You can put more trust in what you are doing," he says.
Regardless of whether a cloud gains the trust of a business and can earn the approval of an auditor, the responsibility for protecting the data stays with the business; outsourcing the application or the platform or the infrastructure doesn't outsource the responsibility, he says.