Is cloud computing secure enough to meet enterprise regulatory compliance requirements? There was an interesting back and forth on this topic Wednesday between Chuck Goolsbee at SearchDataCenter.com and Michael Sheehan from GoGrid. Chuck's big-picture take is reflected in the title of his column: "Don't buy cloud computing hype: Business model will evaporate." He bases his skepticism on a number of factors, including his doubts that cloud computing providers can meet regulatory compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS), which is essential for e-commerce:
The auditors have a very clear idea of exactly what they want to see in terms of server infrastructure, software configuration and network deployment. Deviations from the script are hard to get away with. Paramount to everything is the ability to audit. To see where, when and how payment card data is used. When they ask 'where is X?' you have to point to a specific spot (be it a server, a file system or a database table) and say, 'X is right there.' You also have to prove that X has not been altered without record of it, nor has ever left the building in an insecure or unencrypted state. So can any of this be trusted to a cloud? I doubt it.
Chuck has other reservations about the cloud computing business model. But since concerns about security are cited as the leading barrier to cloud computing adoption, let's take a moment to examine the compliance issue in greater detail.
Regarding PCI DSS, several providers say they have achieved certifications for customers using cloud platforms. These include Terremark Worldwide (TMRK) which describes its Enterprise Cloud platform as "certified as PCI DSS Compliant," and Savvis Inc. (SVVS), which offers a version of its just-in-time utility computing platform that is customized for online retailers and includes PCI solutions.
The issue of PCI compliance has also been discussed at Amazon Web Services (AWS), where the data center team is well acquainted with e-commerce compliance standards, but will currently say only that Amazon is "in the process of, and will continue our efforts to obtain the strictest of industry certifications in order to verify our commitment to provide a secure, world-class cloud computing environment."
In his response to Goolsbee, Sheehan said he "somewhat agrees" with Chuck's security concerns - but not entirely.
It is impossible to fully audit what I call 'disposable IT.' However, the shift from CapEx to OpEx means that auditing methods need to be re-evaluated. In the past (and currently), if you wanted to requisition hardware, there was a process for doing so. It took time and had rigorous approval processes built in. Now, with the Cloud, you can do this 'on the fly' and servers in the Cloud can be created and disposed of extremely quickly. With data in general, you can never fully have 'absolute certainty' with an audit. Compliance requires a 'reasonable certainty', especially since data isn’t persistent in or outside of the Cloud. So, saying that the Cloud model will fail because it isn’t compliant or can’t be audited is erroneous.
For further reading, see Cloud Computing and PCI Security, a review of the topic by Michael Dahn of the PCI Blog. Dahn compares the current debate to earlier concerns about compliance in a virtualized environment.
"The reality is that virtualization can be compliant as long as it’s properly configured and managed," Dahn writes. "Do you notice that with each new year a new technology raises issues about compliance? Compliance people claim it cannot be used and technology people claim they want more attention paid to them. Sigh. Expect this to occur out into the future."