Thursday, August 27, 2009

Cloud or Not Cloud - That is the Question - When it comes to Compliance

Defining the Cloud - What is and isn't
How do you measure something that is dynamic in nature? What is the impact on SAS70 Audit controls? Where does an organization even begin to start when the definition of what is and is not a Cloud is still up for debate.

Some that would like to claim expertise in this new paradigm - claim that SAAS or Virtualizing your Server Infrastructure automatically equates to cloud computing. That claim only shows a lack of experience in SAAS and technologies that enable the dynamic nature of the cloud like virtualization. The Cloud is a nascent paradigm that should not be confused with Software As A Service or Content Providers. Companies have been distributing content whether it be software, music, games etc over the Internet from hosting providers since the mid-90s. What makes a cloud unique is the dynamic nature and benefits of capacity on demand to scale to meet the peaks and valleys of a business as they grow.

NIST has tried to loosely define the cloud and different types of clouds that are possible. Their definition can be found: NIST Definition of Cloud. This is significant because now auditors are really going to be taking a hard look at what is in the cloud and how far do they go.

What does it mean to Compliance & Control?
"You can't control what you can't measure" - is a befitting statement recently made by Scott Alderidge of IPServices. This statement is backed up from other industry research reports from reputable institutions such as IT Process Institute series of Virtualization Maturity Studies. There is a GAP between the industry hype and realistic customer requirements.

Key findings indicate that many companies jumped into using newer technologies to enable dynamic provisioning of servers, applications, and desktops only to find that they had to either pretend that everything was "physical as usual", revert to not using those features, or put in control measures on a limited subset (ie - there goes capacity on demand across the grid).

This is not to say that Clouds are not possible for regulated environments or to achieve compliance for key regulations like HIPAA, PCI, SOX, etc but it does mean that some creative thinking has to come into play to enable companies to leverage what makes sense in the cloud without compromising compliance (regulatory, security, or business directives).

BTW - a big pet peeve of mine that occurs all the time by bloggers and vendors alike is that your solution or the cloud can achieve HIPAA compliance. Sorry folks - the system has to be reviewed as HIPAA compliant (same goes for SOX, etc.). Now there are pieces of the system that can be validated and submitted to enable the customer to achieve HIPAA compliance but no magic software, infrastructure etc can do the trick.


Start Where You Are
How does anyone know what is safe, not safe or where to begin in an area that can elevate so many pains faced by companies today (rising power costs, running out of capacity in the data center, need for centralization of data)? The problems that need to be solved are not entirely new and many companies have solved them much sooner than this. The key thing is to take a step back to look at the forest through the trees and create a game plan for migration.

For example, although there are quite a bit of regulated applications - what about the ones that aren't? Are there specific ones that can be "tested" in a cloud or hosted outside the DMZ for greater access? Is there a specific business application that has particular peaks and valleys on certain components of the application like the web server, file share, etc but requires protected user data or information such as patient records?

Customers have successfully implemented hybrid clouds - keeping what is needed in the data center but moving many of the pieces that have greater peaks and valleys to a cloud hosted infrastructure provider like Amazon AWS. For example, GDS achieved HIPAA compliance (yes GDS did not Amazon click on link for Amazon Case Study).

What did they do? They stored protected data such as patient information and records behind lock and key within the hospital data center but leverage the "Cloud" to deliver virtualized applications (HTTP/Encryption - for Config Assurance) that run locally, pull resources through the cloud provided by AWS, assemble the small subset of records typically needed by a user at the time and re-parse it back. This Genius architecture was developed not by some theorists professing to want to define the cloud - but by who it should. An expert in health care, hosting, and the requirements both have for regulations, users, and technology.