Up front, I feel I need to make a fair disclosure statement: I am a cloud computing skeptic.
There, I said it. I know, I know -- as an IT analyst who is focused on virtualization and data center management, I should be a booster for cloud computing like most of my peers.
However, while I try to find enthusiasm (and the benefits seem so exceptional that I really do want to believe), the more I speak to seasoned IT pros about cloud computing, especially in larger enterprises, the more I hear it dismissed as an overhyped fantasy that fails to accommodate how IT actually works. In this article, I'll cover why I agree with the naysayers of cloud computing; especially when it comes to security and compliance.
Security issues in cloud computing environments
Within the enterprise and on the visible systems, most organizations pay extraordinary attention and devote considerable resources to IT security. Entire teams maintain strict granular identity and access controls. Production data is not mixed with testing data, customer access is not mixed with developer access, and sensitive workloads are kept separate from open or promiscuous applications. Security patches are kept up to date, configurations are monitored for breaches, workarounds are applied for zero-day threats and malware detection systems are constantly updated. Virtual images, hard drives and backups are encrypted and password-protected.
All of these activities are very particular to differences in platforms, applications, release levels, versions and other infrastructure details. In the cloud, where such details are supposedly irrelevant, who takes care of the intricacies of security management? How can enterprises be sure that cloud providers -- especially external providers -- are staying up to par as much as they should with patches, updates, workarounds, access restriction, etc.? Who makes sure that administrators are doing what they are meant to -- and only what they are meant to? Who establishes, maintains and checks audit trails -- assuming they are even being recorded in the first place?
Ensuring compliance in the cloud
When it comes to compliance, more questions arise with even fewer answers. Consider, for example, if you put any activity in a cloud provider where you accept credit cards. How do you ensure PCI compliance? If you have financial and accounting information in the cloud, how do you ensure the audit and control of financial information to satisfy the requirements of Sarbanes-Oxley, or SOX, 404 (in the United States); Markets in Financial Instruments Directive, or MiFID, (in the UK); JSOX (in Japan); or Corporate Law Economic Reform Program, or CLERP 9 (in Australia)? If you have customer data in the cloud, where are the controls that ensure compliance with your published privacy policies and with the privacy and freedom of information regulations in force in all of the countries where you do business? If you have any kind of official records stored on cloud resources -- files, documents, emails, instant messages, memos, forms, scanned images, etc. -- how do you ensure retention policies comply with Federal Rules of Civil Procedure in the case of a law suit, or with DoD 5015.2 record-keeping regulations?
Monitoring SLAs and contracts
Of course, there is always a chance, especially for more circumspect organizations, to establish process-based and/or contractual controls. With the opaque nature of the cloud, where you are blind to the platforms, systems and technologies that supply IT services, this may be the only way to ensure security and compliance.
But who watches the watchmen?
Even when service-level agreements (SLAs) are set and contracts are signed, who is responsible for monitoring, auditing and enforcing them? If security is breached or audits fail, who is responsible for measuring and reporting the breaches? Since the cloud service consumer has no visibility inside the cloud, the only option is to trust the provider. Unfortunately, with no chance for independent verification, providers have little or no incentive to admit fault. Essentially, we are leaving the fox in charge of the henhouse.
The fundamental conflict: Visibility
The fundamental conflict here is the idea that cloud computing denies granular visibility; yet as IT pros we need granular visibility to ensure security and compliance.
For many stakeholders, lack of visibility is a great outcome, and one of the real drivers for cloud computing. In truth, no one really wants to be responsible for the minutiae of managing low-level IT components.
However, a secure and compliant environment is not possible without granular visibility into these low-level components. IT pros must be intimately involved with the lowest level of functional detail -- not because they want to be, but because they need to be.
Is a secure, compliant cloud possible?
Of course, this is not to say that there are no possible solutions. Digging deep for that elusive enthusiasm, I hope to see trusted relationships, federated services, auditable standards, third-party monitors, pseudo-clouds and other solutions that address these issues in future, at least in part. And in specific functional areas, cloud computing can even help to directly enable security and compliance (e.g. cloud-based services for message filtering, firewalls, vulnerability testing, etc.)
Still, the critical factor will, in the end, likely boil down to what it always does: Does the business accept the risk? This is far different than asking whether the business understands the risk. As with virtualization, when the business only sees the upside of cloud computing, it may well take a disaster to force it to look at the real risks it exposes.
In the meantime, however, IT pros and the business units they support need to be very circumspect about giving in completely to the hype of cloud computing. At least for now, there is a fundamental disconnect between cloud computing and mission-critical IT when it comes to ensuring security and compliance.
ABOUT THE AUTHOR: Andi Mann is a Research Director with the IT analyst firm ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™). Andi has over 20 years of IT experience in both technical and management roles, working with enterprise systems and software on mainframes, midrange, servers, and desktops. Andi leads the EMA Systems Management research practice, with a personal focus on data center automation and virtualization. For more information, visit the EMA website