Earlier this month we looked at the issue of cloud computing and regulatory compliance, which is often cited as a barrier to enterprise adoption of cloud-based services. Computerworld picks up the topic today, examing the specific issues raised by three key regulatory standards; SAS 70, Payment Card Industry Data Security Standards (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).
Regulatory compliance is often possible with cloud computing, although it takes special effort, according to Chris Day of Terremark Worldwide (TMRK). “There is no magic solution,” said Day, a security specialist working with Terremark’s Enterprise Cloud. Each standard has its own unique challenges, and specific approaches are needed, with some requirements falling on the client side and others resting with the service provider.
That split responsibility makes it hard to draw broad generalizations about cloud providers’ ability to meet audit requirements. A major issue is a perceived lack of visibility into cloud providers’ operations and security, as outlined in a recent story at Wall Street & Technology. “At the moment, cloud providers seem to want customers to treat them like a black box,” says Craig Balding of Cloud Security, who also works on the security team at a Fortune 500 financial company.
Balding says non-disclosure agreements offer an opportunity for cloud computing providers to share more detailed information about how data is handled, and can provide a comfort zone for customers. Another issue is the prospect of vendor lock-in. “Amazon and Google are walled gardens,” Balding told Wall Street & Technology. “You can’t take an app from Google and bring it over to Amazon because they’re architected differently.”
Cloud interoperability is a hot topic at the moment, and it’s possible that migration between providers at various levels of the cloud will become easier. But it’s not just a cloud issue. Managed hosting providers specializing in compliance have some of the “stickiest” customers in the business due to the depth of the relationships.
Managed hosting may hold a precedent for the cloud. Many companies outsource their mission-critical apps to managed hosting providers in small doses, starting with small projects that test-drive the relationship, giving the provider an opportunity to build a track record of performance and trust. If the provider executes and makes life easier for the customer, they gradually take on a larger chunk of compliance-related business.