Can Cloud Computing Handle Compliance?
January 2nd, 2009 By: Rich Miller
Is cloud computing secure enough to meet enterprise regulatory compliance requirements? There was an interesting back and forth on this topic Wednesday between Chuck Goolsbee at SearchDataCenter.com and Michael Sheehan from GoGrid. Chuck’s big-picture take is reflected in the title of his column: “Don’t buy cloud computing hype: Business model will evaporate.” He bases his skepticism on a number of factors, including his doubts that cloud computing providers can meet regulatory compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS), which is essential for e-commerce:
The auditors have a very clear idea of exactly what they want to see in terms of server infrastructure, software configuration and network deployment. Deviations from the script are hard to get away with. Paramount to everything is the ability to audit. To see where, when and how payment card data is used. When they ask ‘where is X?’ you have to point to a specific spot (be it a server, a file system or a database table) and say, ‘X is right there.’ You also have to prove that X has not been altered without record of it, nor has ever left the building in an insecure or unencrypted state. So can any of this be trusted to a cloud? I doubt it.
Chuck has other reservations about the cloud computing business model. But since concerns about security are cited as the leading barrier to cloud computing adoption, let’s take a moment to examine the compliance issue in greater detail.
Regarding PCI DSS, several providers say they have achieved certifications for customers using cloud platforms. These include Terremark Worldwide (TMRK) which describes its Enterprise Cloud platform as “certified as PCI DSS Compliant,” and Savvis Inc. (SVVS), which offers a version of its just-in-time utility computing platform that is customized for online retailers and includes PCI solutions.
The issue of PCI compliance has also been discussed at Amazon Web Services (AWS), where the data center team is well acquainted with e-commerce compliance standards, but will currently say only that Amazon is “in the process of, and will continue our efforts to obtain the strictest of industry certifications in order to verify our commitment to provide a secure, world-class cloud computing environment.”
In his response to Goolsbee, Sheehan said he “somewhat agrees” with Chuck’s security concerns – but not entirely.
It is impossible to fully audit what I call ‘disposable IT.’ However, the shift from CapEx to OpEx means that auditing methods need to be re-evaluated. In the past (and currently), if you wanted to requisition hardware, there was a process for doing so. It took time and had rigorous approval processes built in. Now, with the Cloud, you can do this ‘on the fly’ and servers in the Cloud can be created and disposed of extremely quickly. With data in general, you can never fully have ‘absolute certainty’ with an audit. Compliance requires a ‘reasonable certainty’, especially since data isn’t persistent in or outside of the Cloud. So, saying that the Cloud model will fail because it isn’t compliant or can’t be audited is erroneous.
For further reading, see Cloud Computing and PCI Security, a review of the topic by Michael Dahn of the PCI Blog. Dahn compares the current debate to earlier concerns about compliance in a virtualized environment.
“The reality is that virtualization can be compliant as long as it’s properly configured and managed,” Dahn writes. “Do you notice that with each new year a new technology raises issues about compliance? Compliance people claim it cannot be used and technology people claim they want more attention paid to them. Sigh. Expect this to occur out into the future.”
I could be convinced to alter my views on the compliance issue, but only when I hear it straight from an auditor (as opposed to a cloud provider.) Additionally Statement of Accounting Standards (SAS70) is not the right compliance standard to hold up as an example, as it is the least relevant, and least strict from an infrastructure perspective.
What then about my other points?
1. The business model of “cloud provider” is only sustainable for somebody selling excess capacity. It is unlikely that a “cloud provider” can succeed in a stand-alone fashion.
1a: What happens when that excess capacity is needed for its primary purpose? Or, what happens when the application running in the cloud succeeds far beyond the cloud’s ability to support it? How can you financially survive the former event as a user, or the latter event as a cloud provider?
2. The media needs to demand clarity of terminology. ASP/SaaS!=Cloud. “Cloud” is really a lower-level concept independent of the application layer. Perhaps I’m being pedantic but I find it irritating when the terminology is used interchangeably.
Your original post covered a lot of ground. I think the business model is an interesting question, and one that has to be on the minds of cloud providers and their investors. The capital issues you identify are real, but vary from provider to provider. Some “cloud” providers actually own their own data centers, others appear to use colo space, and some simply run stuff atop AWS or another third-party platform.
On the provider side, it boils down to a hardware utilization game. Amazon started AWS to monetize surplus capacity, since it had the hardware available to manage the Christmas traffic crush. Rackspace thinks it can make more money per server in the cloud, but it’s also repurposing retired servers to wring more revenue out of each piece of hardware. Not everyone in this space can do that.
[Note: this same comment was posted on the GoGrid blog article]
Thanks for the response. True, the auditing and compliance portion probably needs to go much further. For the short term, many providers will be self-auditing until the standards are truly brought up to speed and the independent auditors fully understand what is involved. It’s a great extension for their business model actually and I think they will reap the benefits of being able to fully audit “the Cloud.” SAS70 (an acronym that you mentioned) is just an example. GoGrid is one of the few (only?) Cloud providers that can say that.
In terms of your other points:
1) I don’t fully agree with that statement that the business model is sustainable only for someone selling excess capacity. It is a shift in many different models. Who would have thought that SaaS would be so wildly successful? The billing models fit better to a time where budgets are tight. Data Centers could convert over to providing Cloud services (smaller footprint, less power, etc.). However, doing ONLY Cloud might be a bit dangerous, so I somewhat agree. Diversification is critical. This is part of the reason why we offer traditional datacenter (ServePath/ColoServe) services as well as CloudCenter (GoGrid) services. User then have the ability to pick and choose their solution, one or the other or both together (Cloud Connect).
1a) I don’t think this is any different than traditional hosting. You have to, as a provider, be ready to scale one way or another. Planning, whether traditional or cloud, needs to take place, so I don’t really understand the concern as being only with the Cloud.
2) Sorry, but I still do view SaaS as a Cloud segment (Cloud Applications). However, I do think that there are some SaaS providers that don’t quite fit in. Cloud Computing, in general, is a term that is very broad and general, but we are seeing the fine-tuning taking place.
Thanks for the thoughtful discussion.
Mr. Sheehan brings up a good point – what exactly are you guys considering as a subset of cloud computing? I’ve found recently that the term seems to be abused and has been expanded to include a lot of things like SaaS, when in reality, that was not the original concept.
Anyway, my take on the compliance issue even for SaaS is that you still need to monitor the data flows. I don’t care whether it is coming from a real box or a virtual machine, either way, you need to mirror that data to a compliance auditor to cover that part. It’s also crucial to adopt IDP or one of the older security devices to maintain full coverage. Regardless of SPAN/TAP shortages (you can fix that with tool and port aggregation anyway).
So tell me – where do each of you draw the line on what “cloud computing” is anyway?
Good article, but oh no, I can’t help myself ….
From my blog post in Aug’07 (see http://blog.gardeviance.org/2007/08/commoditisation-and-web-20-worth-part.html) discussing the “cloud” …
“Low risk in this context would mean multiple providers of the same service which you can swap between, as opposed to the details [infrastructure architecture] of any one provider. To be able to swap between services you need not only standardised services but multiple providers and the freedom to move data, application or framework (depending upon which level of the stack you are talking about) between the providers.
In this context open source is a necessity to provide not only the base standards but also an operational means of implementing that standard. It is neither a tactic or a strategy.
However, open source (and in this context I mean GPLv3) is not sufficient, you also need some form of additional information to ensure the users of such services that they aren’t being locked-in, or that this provider is really compatible with another or they can run their own installation should they wish to.
This can only be achieved through monitoring and the use of trademarking, by an authoritative group providing assurance to end users that this provider meets the standard, that any primitives have not been modified and that what you run with one provider will work on another.”
The issue of risk & auditing are all connected to the lack of second sourcing options, transparency and standards. We need both portability and assurance (or trust if we must) for the cloud.
As for SaaS != Cloud etc. Cloud computing is simply a manifestation of the shift of IT from a product to a service based economy. It effects each layer of the computing stack from the software we write, to the frameworks we build in to the hardware / virtualisation / operating systems we build upon.
There’s an online video of my OSCON’07 talk which covered this if you’re interested (see http://blog.gardeviance.org/2007/10/previous-talk.html )
[...] version of its platform, customized for online retailers that includes PCI solutions(source: Rich Miller). Services like CohesiveFT’s VPN-cubed service may also play an important part in the [...]