Cloud computing - the next big thing or a security and compliance risk?

Contributed by Pierre Chamberland (Thursday, May 27, 2010) | Category : Email litigation and compliance

Cloud computing, it may be argued, is one of the hottest topics in the enterprise IT community at the moment - perhaps even above smartphones and social media - because of the way it can significantly change the traditional IT infrastructure model. But the security and compliance implications are huge, and many in the industry are skeptical that the cloud is secure enough for enterprises to inhabit.

There are two issues at hand, experts say - data security and regulatory compliance.

In a report on the risks of cloud computing, Gartner noted that the cloud has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as eDiscovery, regulatory compliance, and auditing."

Joshua Davis, director of information security and compliance for Qualcomm, agrees.

"The information risk management factors one must consider when leveraging cloud computing - especially legal and regulatory compliance issues - represent uncharted territory for many enterprises," he said, as cited by the Cloud Security Alliance.

When it comes to security, perhaps the largest concern is that the centralization of data into just a handful of cloud platforms makes it an easier and more attractive target for cyber hackers, CTO Edge reports.

There is also the issue of privileged user access, InfoWorld noted. "Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the 'physical, logical and personnel controls' IT shops exert over in-house programs," the magazine cited from Gartner.

Furthermore, many organizations are concerned about the data protection laws for the countries in which their data is being stored, and rightfully so. Most companies using the cloud do not have access to that information, and it can make a huge difference when it comes to privacy requirements and compliance laws.

For example, in March, Yale University postponed a planned move of the university's email service to Google Apps pending a university-wide review process, and the location issue was largely the reason.

Yale Daily News reported that Google was not willing to provide Yale with a list of countries in which the university's data could be stored, thereby preventing the university from knowing which laws and regulations their data would be subject to.

"Yale is an international, multicultural community of scholars," Yale computer science professor Michael Fischer told the student newspaper. "Students deserve to have rights to their information while on campus."

Even aside from the security side of the coin, there is the issue of compliance.

Because organizations themselves are ultimately responsible for the proper retention of data, no matter if the data is stored in-house or by someone else, many are concerned about having enough control over cloud providers to ensure the security and integrity of their data. Failure in this area can lead to regulatory fines potentially worth millions of dollars, especially in a litigation situation.

SearchCloudComputing.com notes that with an in-house server, "everyone knows where the disk and server physically reside, and that fact can be proven during an audit. Even a shared service provider can typically tell you which physical systems you are utilizing and identify the data location for audit purposes."

However, with the cloud, organizations do not necessarily know where their information resides, which poses a risk not just for PCI-DSS, Sox or HIPAA compliance, but also for disaster recovery.

Phil Cox of SearchCloudComputing.com actually went so far as to say that at the moment, PCI-DSS compliance and cloud computing are mutually exclusive. "If you do store or process cardholder data in a public cloud," he wrote, "then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance."

The cloud is still in its infancy, and may have a long way to go before proving that it can securely store enterprise-critical data. For the moment, any organizations considering a move to the cloud are advised to weigh the risks carefully and to do their due diligence with potential providers.