PART I – Compliance: The false comfort of data center audits for cloud services

Compliance and the cloud
Compliance is one of the most common sources of stress a company faces when moving solutions into the cloud. It’s a complex and arcane topic to begin with. When the inherent reduction in control that comes with outsourcing an IT service to the cloud is added, FUD (fear, uncertainty and doubt) can easily derail even the most carefully planned project.

Unfortunately, many of the cloud services vendors in the marketplace do more to add to the confusion than to address the very real compliance needs organizations face. My intent is to shed some light on this issue over the course of several posts. I’m also going to try to provide actionable advice that both IT and audit teams can benefit from when evaluating cloud-delivered solutions like SaaS, IaaS and PaaS (Software, Infrastructure, and Platform as a Service, respectively).

We all have needs
First, let’s define the needs of both parties. As outlined in part one and two of this series, these are the Wild West days of the cloud when thousands of vendors are driving a land grab for new business. Within this landscape, vendors both large and small are often motivated by:

  • Mind share – The ability to gain consistent coverage by press and analysts. Cutting edge is sexy. When there are no clear leaders, the desire to create the perception of leadership is often considered an end unto itself.
  • Market share – The ability to demonstrate growth, ideally at a rate higher than the competition. Within the land grab of an emerging market, capturing new business is often considered more important than profitability and customer retention.
  • Cost Reduction – The ability to lower start-up costs. Although there is general consensus that the convergence of both technical and cultural trends we call “cloud computing” has huge potential, no one can guarantee that it will grow as rapidly as the analysts predict. Within an immature market, it’s often easier to lower costs than increase sales.

Today’s compliance landscape is very complex and constantly changing. Corporate initiatives could be driven by federal regulatory mandates, state laws, demands from business partners or even as a response to events on the nightly news. Yet, the compliance needs of a company that has chosen to outsource an IT solution to the cloud are deceptively straightforward. Stated broadly, they need to have transparent insight into:

  • Scope – The ability to determine what business and technical objectives the vendor’s compliance program does and does not meet. Will the employees working with my data ensure that it remains private and secure as required by HIPAA? Do they have a password policy that addresses complexity, rotation and storage like our internal policy does?
  • Quality – The ability to determine if the vendor’s policies and procedures adequately address each objective. Maybe they have a password policy, but it states that a password can be four alphanumeric characters, is only rotated on leap years, and advises employees to write their passwords on a post-it note to ensure they never forget it. The point is that a customer must have some assurance that a policy not only exists . . . but that it’s commonly accepted as an “adequate” or even strong policy.
  • Execution – The ability to determine if work performed by the vendor’s employees and subcontractors complies with their policies and procedures. If the vendor has strong policies that no one follows, they’re not delivering much value to their customers.

In my next post, I’ll look at a pitfall disguised as a solution that goes by SAS70.

Please consider signing up – by e-mail or RSS – to get new posts from me and my fellow bloggers delivered automatically to your inbox. If you find our pieces intriguing and/or enlightening, please encourage your friends and colleagues to check us out. And if you have ideas for stories or ways to make this community better meet your needs, please let us know.

Justin Alexander

... read more about: Justin Alexander