The common word out there about cloud computing/SaaS and security/regulatory compliance are that these don’t go well together. However, things don’t have to be that way. Doing security right can cost a lot of money and public cloud services could carry some of these costs. Thus, there probably will be a point in time when paradoxically cloud may become a cost-effective way to compliance.

With these thoughts in mind, I was delighted to find a report by Scott Crawford from Enterprise Management Associates – “The Security Paradox of Cloud: Five Questions for Cloud Providers“.

This is a great report in a sense that it not only talks about that same paradox but also formulates the 5 questions which need to be answered by the cloud vendors to make these happen:

1. “How much visibility do I have into how you manage my risks?”
2. “What risks do your other tenants pose to me… or to you?”
3. “Are your tools and techniques for managing risk mature enough?”
4. “Is my data safe with you?”
5. “How will turning to cloud impact my current approach to management?”

For each of the questions Scott provides a good discussion – so the report is well worth checking out.

Here are a few comments which I had on the paper:

In my opinion, “cloud” is inevitable because it offers better economics than do-it-yourself on-premises approach: think market economy specialization vs. natural household. This does not mean that no IT services will remain on premise but we are most likely up to some kind of hybrid model. How far we go there does depend on the ability by the industry to answer Scott’s questions.

Scott’s notes on how cloud with its separation of duties could also become a more viable security solution are spot on. With proper legal and certification framework cloud approach would let companies split liability risks with the cloud provider – as opposed to having to deal with liability all by themselves. Adhering to retention policies is costly – outsourcing multiyear document/communications retention to Microsoft/Google/etc. and sharing not only storage costs but liability and risks with them is a pretty good deal.

• Certifications (such as SAS 70) are a good step in ensuring better security. Scott seems skeptical about certifications (and rightly so) but these are one of the components of the solution because they provide a vendor-independent common set of standards.
• Publicly disclosed industry-proven identity management, authentication and authorization architectures (such as “Geneva” for example) is another good step – security by obscurity will not cut it here.
• There will probably be a bigger place of encryption/DRM in the picture. These do come at a price though and if the limits are pushed too hard the cloud systems may become useless: not being able to provide valuable functionality without access to data.
• Legal frameworks providing for shared liability.

With all that said, this will not happen overnight. Kids are sick more often than adults, and the cloud industry is still in its infancy so 2009 and 2010 will bring us quite a few outages and security breaches.

Read Scott’s report here.

Technorati Tags:
SaaS, Cloud Computing, Compliance, Analysts, Security
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |