July 15, 2011

Regulatory Compliance: Impossible in the Cloud?

While there is increasing acceptance of cloud computing, mainly due to its ease of use, end-user accessibility via the Internet, productivity improvements and – most importantly – its cost-saving attributes, there remain a number of questions left unanswered concerning corporate governance and regulatory compliance issues.

For example, is it possible for companies to meet regular corporate governance standards in the cloud? Are there regulatory principles in place targeted at cloud computing users? And what cloud computing services are able to meet best practices recommendations and requirements?

Undoubtedly, the cloud computing environment places no less a premium on solid management and the maintenance of a culture of integrity-driven performance than any other corporate IT environment of the past.

It therefore presents similar governance and compliance challenges not only for companies but for governments, investors and many other stakeholders in the corporate world.

Unfortunately, there are those who believe compliance will be impossible to achieve within the cloud environment as companies cannot take responsibility for who accesses their data, who views it, and where (and how) it is stored since a basic tenant of cloud computing is that data can be held and stored ‘anywhere’.

Cloud computing protagonists, on the other hand, say a key premise of regulatory compliance and good corporate governance is the integrity of the audit process. It’s a process required to keep track of all data components – whether they’re located in multiple corporate data centres or somewhere in the cloud.

They acknowledge that it’s a demanding process and special care is required to achieve success. There is no shortcut – no silver bullet – to ascertaining where a company’s data is stored and what networks it has passed through.

Nevertheless answers are required in order to interrogate data repositories to meet compliance objectives such as –

• the regular appraisal of management performance and accountability,
• the identification of incidents of administrative failures,
• the need to address breaches of legislation and internal processes,
• the achievement of greater value for compliance spend,
• improved stakeholder and regulator relationships and
• more open communication channels between all stakeholders and regulators.

The first steps to be taken before attempting to meet these and other targets include a definition of the type of cloud computing services employed and the cloud infrastructure models involved.

Significantly, there is no ‘one size fits all’ approach when it comes to compliance issues in the cloud. The corporate cloud computing environment must be clearly understood so that a comprehensive ‘best practices’ approach can be designed and adopted.

Essentially there are three cloud service types: Infrastructure as a Service (IaaS); Platform as a Service (PaaS); and Software as a Service (SaaS). And there are basically two deployment models – the private cloud and public cloud (ignoring any hybrid combinations).

Within these types and models, the levels of control afforded the user differ greatly. So does the auditor’s ability to effectively and accurately track data.

For instance, in private clouds, the number and type of controls are placed at the prerogative of the user and can vary from ‘super-efficient’ to ‘non-existent’.

In a public cloud, while the user organisation does not have much say over the controls in place, service provider reputations are at stake which generally help ensure a professional approach – limiting the risks associated with unauthorised access to intellectual property and customer information.

When it comes to service types, it’s accepted that greater control – and therefore regulatory compliance – is possible within an IaaS model compared to SaaS or even PaaS models.

This is due to the ability of the user to deliver greater ‘data segregation’ (a key compliance requirement) should the entire corporate computing infrastructure be offered as a cloud-based service (IaaS), preferably within the scope of a private cloud.

Why a private cloud? Because a private cloud makes use of dedicated hardware and therefore data segregation on separate servers – even virtual servers – is easier to achieve.

However, many regulatory compliance specifications – including the King III Code of Governance Principles for South Africa and the Sarbanes-Oxley Act in the US – while maintaining data segregation as a core requirement, do not specifically address how it is to be achieved within the cloud; either private or public.

Fortunately, the technology driving cloud computing is constantly evolving. As it advances, many of the compliance and corporate governance concerns are being tackled and eliminated by global specialists.

For example, the SAS 70 compliance environment (Statement on Auditing Standards 70) issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) can be made applicable to cloud computing environments. This is according to Sundararaj Subbarayalu, founding member of Anantara Solutions [www.anatsol.com] an Indian outsourcing firm.

In addition, a feature called File Classification Infrastructure (FCI) has been introduced on IBM’s Windows Server 2008 (Release 2) designed to tags files carrying personal or financial information and other increasingly regulated data. All that’s needed is a workflow program to allow developers to use the data in cloud applications.

These and other imminent breakthroughs point to a future in which an organisation opting for a cloud computing solution will have access to secure, fully compliant clouds featuring technology innovation and a sustainable business ecosystem development offering with full regulatory compliance.

About The Contributor:
Martin MayRegional Director, Africa

Martin came to South Africa in 1992, relocated by Cabletron Systems to begin operations in Africa. May has driven Extreme Networks forward in Africa and is a leading advisor in the areas of infrastructure security utilizing technologies such as NAC, IDS/IPS and network-based security.

See My Other Posts