cloud tutorial home
  Cloud Computing Types
  NIST Cloud definition
  Cloud Computing events
  Free Applications
  Storage space on web
  Online Image Storage
  Books on Cloud
  Related Technologies
  Cloud computing sites
  Pricing
  Making Software a Service
  SOA Governance
  Symposium Offer
  about theCloudTutorial

  Articles

  Amazon SimpleDB
  Hadoop
  Google App Engine
  Cloud Computing Standards
  Why Cloud Computing
  Virtualization
  Multi-tenancy
  Cloud computing Economics
  force.com platform
  CloudComputingPlatforms
  cloud computing & SOA

  Cloud Vendors

  Cloud Computing Vendors
  Adobe
  Amazon
  AT&T Synaptic
  GoGrid
  Google
  IBM
  Microsoft
  Rackspace
  SalesForce
  Zoho

  Leader interview

  George Reese
  Marc Benioff
  Michael Miller
  Rick Jackson
  Tim Mather
  Toby Velte
  Raju Vegesna
  
 
Welcome to www.thecloudtutorial.com

home | Cloud Types | Related Technologies

Standards, Compliance, and the Cloud – A Primer


Jeanne Morain

Delivering software and solutions over the Cloud (internet) is far from a new concept. Although the general requirement to service those employees, partners and consumers outside of the WAN has remained constant – the technology, risks, and regulations have significantly changed over the last decade. For those that are new to technology standards groups, regulations, and risks that are driving both new standards and enhancements to the old ones – this article will serve as a primer to jump start your cloud efforts. If you are already an expert – please do feel free to chime in or send me an email to edit/update any missing areas or links.

What are the Drivers for Standards?

While High Tech generally moves at a fast pace – the new innovation, adoption, and risks of Cloud computing has made the need for standard adjustments a critical element in your overall recipe for a successful Cloud strategy. Since 2000 there have been more regulations, standards, and reporting requirements that affect the IT industry more so than the first 50 years prior. Just having common knowledge about how to build a network, IIS server, or Linux OS is no longer enough to architect and maintain a Cloud solution that complies with the unique requirements of a company’s specific industry, regulations, and technology needs.

Whether Private or Public Cloud – some of the key pain points driving standards evolve around Interoperability with Existing Solutions/Products, Regulations (Personal Information Acts in US and Abroad, Reporting and Accounting), and proliferation of global economy/workforce (more technical, mobile, and virtually connected). Over time, as the Cloud adoption significantly increases and new regulations/requirements come in to play the standards will need to evolve even further as our understanding of those requirements comes into light.

The purpose of this paper is to highlight that there are many standards already in existence and efforts from those collaborative effort to evolve or extend them to address the unique challenges Cloud Computing has introduced.

Where does one start?

What constitutes a standard? What specific areas should be reviewed, adapted and adopted? In order to successfully implement a Cloud solution in today’s global economy one must collectively consider all the key requirements and selectively institute the ones that apply to what they are trying to achieve.

Identify the following:

Type of Cloud that is being implemented – Private (Internal), Public (External) or Hybrid approach requirements for each will vary depending on the answer.

  • Private Clouds –will need to adhere to the company mandated processes and established framework for governance such as It Infrastructure Library (ITIL) or ISO. Documentation, back up, control and SLA’s required by the business. Integration with existing Business Service Management tools should be in either already in place or started depending on the maturity of the adoption cycle for your datacenter.
  • Public Clouds – public clouds add a little more in complexity and definition when it comes to audit and control. In addition to adhering to an established framework you also have additional audits to pass such as SAS 70 Audit (in US or ISAE 3402: The International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organization can be used for Global. Note Canada, Europe, etc have their own standards prior to ISAE being passed in January 2010).
Type of Industry being served vertical, segment, and countries – HealthCare, Financial Services, Telecommunications, Education, etc.
  • Each Industry will have a set of regulations (some more than others) that may have a different set of requirements and standards for areas such as security, access control, segregation of duties, data protection etc. There are a few that govern across markets and segments such as Personal Information Acts (US, Europe and Japan all have specific acts to govern the protection of personal information such as credit card, health history, etc).
  • Each segment may have different requirements and SLAs – Depending on the size of the company, what type of data is being processed/stored, who has access etc there will be a different set of requirements around segregation of company specific data, their customer data, etc. In addition – industry size specific SLAs will vary – a large enterprise will typically have not only a larger volume but will be less tolerant.
  • Each Country will have specific regulations for their given country - it is important to understand what audit processes and regulations are required and how your customers may feel about that. For example – many in Europe are concerned with data privacy of data housed in the U.S. because of the Patriot Act and/or Cyber Security Act.
For example, in the HealthCare industry – the US requires Health Insurance Accountability and Portability Act, FDA, and others depending on if the organization is Public or Non-Profit. In Europe, certain countries require that the data be stored in the country of origin – this could be an issue when looking at public clouds to ensure they have a facility in the country being served. Furthermore, if you are a Healthcare Data Exchange or ISP serving this market.

  • Current tools and processes in place – that involve managing people, processes, and technology to achieve compliance with IT Directives (Business, Regulatory, Security). Chances are for both internal and external providers (unless it is a brand new company) there are already established practices that will need to at least be considered in the overall design and process.
  • Current requirements/standards from Vendors around Cloud – Specifically around license and software usage. Some ISV’s do not support subscription based licensing yet or require a special license such as Microsoft Service Provider License Agreement. It is important to understand any restrictions or components that are not defined clearly to avoid unexpected costs, legal ramifications, or impact to production. For example, some vendors will have added the ability to audit license usage as part of their agreement. There will need to be some type of tool to provide verification that the software is no longer in use or that proper licenses were obtained and royalties paid.

Investigate Standards & Requirements for YOUR Company

Once you have determined what the key areas are that need to be considered based on the type of Cloud (Private, Public, Hybrid), Industry, Countries, Business Processes and Vendor requirements – you are ready to identify key standards and audit requirements to consider.

Although many say the Cloud should have its own standards – that can be construed as being a little short cited. Cloud Computing is an evolution of various technologies. Some such as virtualization and hosted computing have been around for decades. Although they have significantly improved in feature functionality as hardware, bandwidth, and the internet access as evolved – the basic premise has not completely changed. Given that the Regulation revolution really took off almost a decade ago – many companies have had to invest millions in creating a framework that works for their organization.

It is important to understand that most companies already have tools, processes, and people trained in both in place. It is not likely that they will replace everything they have worked hard to institute to achieve SAS 70 Audit Control (Outsourcers/Providers or Public Clouds) or control frameworks instituted to achieve Regulatory Compliance. Rather than re-inventing the wheel it is better to take a step back, understand what is currently there and how it is evolving to address the new risks, challenges, and requirements of Today’s Cloud and make recommendations for your organization based on the prescriptive guidance in place.

I have compiled a list of what I believe to be not only credible but very well thought out resources from industry experts. Experts are hard to come by these days meaning there is so much information and mis-information in Blogs, List-Serves and groups that it is hard to really cut through the Hype and understand what really needs to be done. Those that are truly working on their own implementations in practice rarely have the bandwidth to blog about it all day. So be careful about what you come across on the net unless you know it is derived from credible sources.

Distributed Management Task Force (AKA DMTF)

The Distributed Management Task Force has been around for quite some time (over 15 years). Winston Bumpus (the current president of DMTF) is a former colleague of mine from VMware. DMTF has worked on various standards over the last 15 years with industry veterans such as Josh Sirota (Architect at BMC/Marimba with over 27 million deployed endpoints), Simon Crosby – CTO from Citrix, and many other what I consider industry luminaries that have at least a decade or more experience implementing Systems Management across the LAN, WAN, and other structures. DMTF has been instrumental in implementing recommendations for open standards to drive interoperability across Systems Management Frameworks (SMASH – Server, DASH for Desktop, OVF – Open Virtualization Format) and most recently they have published new works around recommendations for creating Inter-Operable Clouds.

IT Process Institute

The IT Process Institute has some unique research around the impact of Virtualization on Compliance (in practice not theory). The their Virtualization Maturity Study was conducted with over 323 companies and questionnaire crafted after a series of in depth interviews with Architects, CIOs, and Security officers implementing both internal and external Clouds. Some of the Founders – Gene Kim and George Spafford are some of the foremost authorities on compliance, hosted environments (Cloud), and virtualization. Why? Their approach is very different – it is an auditor in approach versus technology out. They have a strong collective group of both seasoned auditors and technologists to bridge the gap. Although there are many whitepapers created from the survey – the raw data is very compelling. I have to disclose that I was one of the key sponsors both at VMware and InstallFree because there was no other research or data like it at the time. A summation for the desktop piece can be found on http://www.vmware.com/a/webcasts/details/139.

National Institute of Standards and Technology – NIST

First caveat is that NIST is a US Government Agency. NIST is critical in that it creates the guidelines for Audit and Control of US Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX or SarBox), Graham Leach Bliley (GLB), Personal Credit Information Act (PCI), and new ones being introduced. These Acts include standard recommendations and guidelines in all types of areas such as Security, Cloud Computing, Selecting what Control Objective Baseline for IT standards to use for compliance, etc. They have a new draft on Cloud Security published that is an interesting read for not only US nationals but for those that wish to do business in the US or to leverage US Hosting providers such as Amazon.

Cloud Security Alliance (CSA)

The Cloud Security Alliance or CSA is critical component and good example of new standards that have evolved based on increased risks and requirements posed by Cloud Computing (Public, Private, or Hybrid). The CSA works with other standards groups such as the DMTF and follows guidelines such as NIST to ensure that interoperability, prescriptive guidance (particularly around Security, Identity Management, etc), and opportunities for education (Certification) are available. In particular they have an excellent white paper published in March on the top threats around Cloud Computing. Before architecting or driving to push regulated or critical applications to the cloud – it is important to understand not only how the technology has evolved but also the new risks it brings to protect your company. There are many others here as well that are well worth the read around application security.

On a personal note – one area that is still too nascent is application virtualization. Today many standards and inventory tools check for drift or changes to the application in the actual application file itself. However, application virtualization files (yes files) are read only. Malicious code actually interjects into the User Data or Configuration Files. Until the standards are updated – it is best to create some sort of custom script or push your vendors to actually check those files for significant changes as a potential location of a malware attack. This holds true for both DMTF and CSA (otherwise they are spot on for the most part. Although I have heard of room for improvement needed for OVF. Would love more opinions that I can pass on).

Public Company Accounting Oversight Board (PCAOB)

This site and group is a little more on the Audit side of the house but has some informative measures and insight on new laws such as the recent WallStreet Reform Act. I always find it helpful to check out and investigate the areas that auditors, business owners, and executives will be concerned with to understand the bigger picture of what is being requested and how it could impact the overall architecture. For public or hybrid clouds (if you are integrating your private cloud to a public cloud) - There are some pretty good translation sites as well for specific audits such as SAS 70 or the new International Standard ISAE 3402. In case you don’t know what SAS 70 is – it is the Audit standard for outsourcers or hosting providers that must be passed in the U.S.

ITIL Sources – ITSMF – IT Service Management Forum, IT Governance Institute, & ISACA

IT Infrastructure Library or ITIL is key element for most Cloud providers as it is the primary framework used in the majority of Enterprises in North America and Europe. The Control Objective Baseline for IT Standards is the framework not only used for ITIL but as the baseline to define standards and requirements for regulations. I found that by reading those standards from an IT and Technologist perspective it really helped to bridge the GAP between desired state from the business and reality from what is available (technology, tools perspective). There are quite a few good white papers and also publications on what the top discrepancies typically are during an IT Audit. An ounce of understanding is truly worth ten pounds of cure when you are looking to reduce risk and long term viability of your architecture.

The key guidance – do our homework, just because something worked for one individual or organization doesn’t necessarily make it viable or correct. Research the markets to ensure that the technology you are using will scale and fit into all the requirements from Security, Interoperability, Regulatory, and Business. In my last role I was able to bring one of the first regulated applications to an external cloud through working with the company to create a Hybrid architecture. It was the best of both worlds but really took some fine tuning to get all the regulatory (HIPAA), technology (App Virtualization, EC2/S3) and people requirements (Service Delivery, Service Support, etc). Beyond standards plan to educate your people on the newer technologies (end users as well as the business) and make sure that when audit comes you understand enough to defend the architecture put into place as not to impact your overall execution and go to market.

Good Luck!

About the author
Jeanne Morrain is an independent expert on Cloud, Application Virtualization and Systems Management - working to bridge the gap between hype and reality for Enterprise. She brings over a decade++ of experience in Systems Management specializing in driving innovation in areas such as BSM, Discovery, Virtualization, Cloud Computing, Universal Clients and Compliance for BMC and VMware.