Cloud computing has been the hot new thing on the market for a while now. It’s what has the enterprise buzzing and apprehensive. It’s what has those in charge of governance concerned. Overall, working in the cloud is the best and worst thing that ever happened to the enterprise.
How one uses the cloud is most dependent how compliant you intend to be. Once you understand the individual compliance regulations and specific requirements, it’s likely that you (and your data) can live comfortably on the cloud.
1. Choosing the Right Neighborhood
There are few generalities about cloud computing, but there are three basic types of systems that can be used:
- Infrastructure as a Service (IAAS)
- Platform as a Service (PAAS)
- Software as a Service (SAAS)
In addition, there are four different neighborhoods on the cloud, or rather, deployment models:
- private cloud
- community cloud
- public cloud
- hybrid cloud
As you might have guessed, different systems and modules offer different types of customer control and place different obligations and responsibilities upon both customers and service providers with respect to security and compliance.
2. Meeting the Neighbors
But compliance isn’t the only thing to think about when choosing how and where to set up shop on the cloud. Like any real estate, it’s important to think about its proximity to the places you go, the quality of the roads, can the neighbors see over the bushes, and reputation of the neighborhood -- in other words, consider vendor lock-in, portability of data and applications, interoperability, data privacy, and data repatriation.
3. Selecting the Governing Body
The rules that govern on the cloud are similar to how an HOA may impose rules. (No holiday wreaths and only white lights can be strung.) On the cloud, if you’re public or private, there are specific laws and regulations, and the related regulatory guidance and requirements that can affect an organization. From HIPAA, GLBA, and PCI DSS -- your organization will need to examine the ins and outs of each to figure out what security controls are already in place and what’s needed to get the rest up to code.
4. Preparing for the Home Inspection
Once up to code, however, it’s important to understand that it will be necessary, even required, to assess the control state for the cloud service several times a year -- on a regular basis. For example, PCI DSS requires quarterly vulnerability scans be conducted for systems.
The Cloud Security Alliance's forthcoming version 2 guidance, a sort of cloud owner’s manual, will provide extensive discussion of compliance and audit concerns related to cloud computing, along with many other areas of security concern and is worth checking out.
5.Selecting the Mortgage
Living on the cloud requires some long-term commitment. Is your neighborhood the place where your data can grow old? Are you still going to be able to meet compliance as your company grows or shrinks? What about the economy?
The housing metaphor, though getting old, is quite suitable for deciding to store and manage your company’s information on the cloud. Like any document management solution, however, being prepared is half the battle. Preparing to live in the cloud, is a perfect time to take inventory of how your company currently stays compliant. What do they do know and how will it have to change according to where and how they want to live? Take the time to figure out the issues now and it will save you the time, money and trouble it could cost you once the moving truck has arrived.
Real estate on the cloud may be abundant, but like any neighborhood, the misbehavior of one can affect many. By not properly complying may ruin it for the rest of us.