In the previous articles on cloud computing we considered the security implications in choosing a provider as well as what needs to be done to have security in the cloud. Next we will discuss what cloud computing means to our compliancy issues.
Cloud computing can be a tricky situation for compliance and in certain cases could make true compliance impossible. Consider a scenario in which your data resides completely in the cloud and you get a compliance requirement to make sure your data is only available to certain people exclusively. Well in most cases access control is actually under the control of the provider so one cannot be sure who has access to that data and who doesn’t. Furthermore we certainly do not control physical access to that server and that’s one aspect we definitely cannot secure ourselves.
Things can get even trickier when you have data that transits between your own servers and cloud services. In such a case one will need to ensure compliance both on their site as well as in the cloud and it is very likely that these two will require completely different approaches and policies.
Worse yet would be forensics and auditing as with cloud computing you might not get full access to logs making such tasks all but possible. Another nightmare scenario is when certain servers share data with multiple companies and this scenario can be quite common when considering SaaS (Software as a Service). How will this affect your compliance? Whilst I’m no lawyer, I can think of some possible issues one might face.
- Will it be the service provider who needs to achieve compliance or your business?
- If it’s the service provider and one of his customers breaches PCI (e.g. saves credit card data in a word processor document within the cloud) will all companies using that service be deemed not to be compliant?
- If you are the one who needs to achieve compliancy how are you going to audit your business residing in the cloud?
- How will auditing work? Will all the service be audited as one entity or will there be logical separation on the data depending on who is using it?
- Will an audit exercise require the permission of everyone using the service even if some are not seeking that compliancy?
Ultimately the cloud is still young. I am sure that as time goes by these issues will be investigated in more depth and clear guidelines will be drawn. Right now there doesn’t seem to be a clear answer, as there are people claiming that the cloud would make compliance easier, others say that it offers the same level of difficulty while there are those who say that it’s impossible. However what is really important is that if your business needs to achieve compliance with any standard make sure you take these points in consideration if you plan to run services in the cloud.