Compliance and the cloud: a culture clash
Garry Sidaway, global director of security strategy, NTT Com Security
The cloud and compliance don't naturally work well together. While the cloud is transforming the way businesses operate, compliance is causing headaches for many IT professionals that are looking to embrace, or experiment with the cloud.
Ultimately, compliance in the cloud does not work. Both cultures have entirely different agendas and the chances they will become friends for life are pretty slim. Whilst the cloud seeks to propel a business forward, compliance seeks to restrain it - and this restriction is not what the cloud is about.
A recent research report commissioned by NTT Com Security found that perhaps unsurprisingly, when it came to being compliant, businesses around the globe were wary of the using the cloud. A worrying 86 percent admitted that issues around data protection, legislation and regulation are responsible for cloud computing being adopted more slowly than they would like.
The growing challenges of legislation, regulation and compliance are playing their part in this. Just look at the publicity surrounding the NSA and PRISM revelations and compliance, data sovereignty laws and regulation requirements from authorities like the Information Commissioner's Office (ICO).
With these increasingly complex data laws, it's becoming something of a minefield for businesses looking to become more agile, efficient and competitive using the cloud.
Compliance has its place
As an industry, we have used compliance to improve business and corporate governance which is really important - especially in light of what has happened in the last few years. It has also helped to improve approaches to risk management, enabling businesses to understand what their risks are and what processes and measures they have in place to protect themselves.
The problem is that compliance needs to look forward and work with businesses and governments. In this age of the cloud IT professionals are faced with a myriad of laws. This includes the ICO's guidelines putting the security responsibility on the business owning the data, instead of the third party cloud provider, and the authority's ability to fine a company up to £500,000 if it violates the Data Protection Act.
Furthermore, according to the Data Protection Directive of 1995 (46/ EC) and Internet Privacy Law of 2002 (58/EC), organisations are required to notify data owners if their personal data is being collected, secure data from potential abuses, and only share data with the subject's consent.
Adding fuel to the fire, businesses selling online must consider the PCI DSS (Payment Card Industry Data Security Standard). It states they must protect card data from logical or physical access, and use access controls to separate the duties between administrators and users who access credit card numbers.
Making the cloud work
In order for the cloud and compliance to get along, it's time for them to put aside their differences and for companies to go back to basics.
It seems many organisations are making assumptions about the skills required to develop, design and deliver secure cloud services. At the moment, too many businesses are trying to apply risk procedures, controls and regulations to a cloud business model that they don't truly understand.
Wrongly, they are applying old world compliance methodologies to new world business models - only to soon decide that they can't use the cloud effectively because of compliance. Instead, what they need to do is better understand the cloud before applying these controls, the same applies for cloud providers, they need to embed security into their services.
IT professionals that do understand the correct way to merge the cloud and compliance come from a different perspective. Their priority is to encompass good cloud skills first, and those companies hesitant at adopting the cloud should follow suit. Armed with the right knowledge, only then can businesses explore the technology and how it can improve business operations, and apply the necessary controls to manage risk.
The right mix
Good knowledge of security and risk management should be at the top of every organisation's cloud skills wish list. Cloud and compliance are not easy bed fellows but, with the right approach and in the right order, they can be seen to work together.