Standards, Compliance, and the Cloud – A Primer
Delivering software and solutions over the Cloud (internet) is far from a new concept. Although the general requirement to service those employees, partners and consumers outside of the WAN has remained constant – the technology, risks, and regulations have significantly changed over the last decade. For those that are new to technology standards groups, regulations, and risks that are driving both new standards and enhancements to the old ones – this article will serve as a primer to jump start your cloud efforts. If you are already an expert – please do feel free to chime in or send me an email to edit/update any missing areas or links.
What are the Drivers for Standards?While High Tech generally moves at a fast pace – the new innovation, adoption, and risks of Cloud computing has made the need for standard adjustments a critical element in your overall recipe for a successful Cloud strategy. Since 2000 there have been more regulations, standards, and reporting requirements that affect the IT industry more so than the first 50 years prior. Just having common knowledge about how to build a network, IIS server, or Linux OS is no longer enough to architect and maintain a Cloud solution that complies with the unique requirements of a company’s specific industry, regulations, and technology needs.
Whether Private or Public Cloud – some of the key pain points driving standards evolve around Interoperability with Existing Solutions/Products, Regulations (Personal Information Acts in US and Abroad, Reporting and Accounting), and proliferation of global economy/workforce (more technical, mobile, and virtually connected). Over time, as the Cloud adoption significantly increases and new regulations/requirements come in to play the standards will need to evolve even further as our understanding of those requirements comes into light.
The purpose of this paper is to highlight that there are many standards already in existence and efforts from those collaborative effort to evolve or extend them to address the unique challenges Cloud Computing has introduced.
Where does one start?What constitutes a standard? What specific areas should be reviewed, adapted and adopted? In order to successfully implement a Cloud solution in today’s global economy one must collectively consider all the key requirements and selectively institute the ones that apply to what they are trying to achieve.
Identify the following:Type of Cloud that is being implemented – Private (Internal), Public (External) or Hybrid approach requirements for each will vary depending on the answer.
Investigate Standards & Requirements for YOUR CompanyOnce you have determined what the key areas are that need to be considered based on the type of Cloud (Private, Public, Hybrid), Industry, Countries, Business Processes and Vendor requirements – you are ready to identify key standards and audit requirements to consider.
Although many say the Cloud should have its own standards – that can be construed as being a little short cited. Cloud Computing is an evolution of various technologies. Some such as virtualization and hosted computing have been around for decades. Although they have significantly improved in feature functionality as hardware, bandwidth, and the internet access as evolved – the basic premise has not completely changed. Given that the Regulation revolution really took off almost a decade ago – many companies have had to invest millions in creating a framework that works for their organization.
It is important to understand that most companies already have tools, processes, and people trained in both in place. It is not likely that they will replace everything they have worked hard to institute to achieve SAS 70 Audit Control (Outsourcers/Providers or Public Clouds) or control frameworks instituted to achieve Regulatory Compliance. Rather than re-inventing the wheel it is better to take a step back, understand what is currently there and how it is evolving to address the new risks, challenges, and requirements of Today’s Cloud and make recommendations for your organization based on the prescriptive guidance in place.
I have compiled a list of what I believe to be not only credible but very well thought out resources from industry experts. Experts are hard to come by these days meaning there is so much information and mis-information in Blogs, List-Serves and groups that it is hard to really cut through the Hype and understand what really needs to be done. Those that are truly working on their own implementations in practice rarely have the bandwidth to blog about it all day. So be careful about what you come across on the net unless you know it is derived from credible sources.
open standards to drive interoperability across Systems Management Frameworks (SMASH – Server, DASH for Desktop, OVF – Open Virtualization Format) and most recently they have published new works around recommendations for creating Inter-Operable Clouds.
Gene Kim and George Spafford are some of the foremost authorities on compliance, hosted environments (Cloud), and virtualization. Why? Their approach is very different – it is an auditor in approach versus technology out. They have a strong collective group of both seasoned auditors and technologists to bridge the gap. Although there are many whitepapers created from the survey – the raw data is very compelling. I have to disclose that I was one of the key sponsors both at VMware and InstallFree because there was no other research or data like it at the time. A summation for the desktop piece can be found on http://www.vmware.com/a/webcasts/details/139.
new draft on Cloud Security published that is an interesting read for not only US nationals but for those that wish to do business in the US or to leverage US Hosting providers such as Amazon.
top threats around Cloud Computing. Before architecting or driving to push regulated or critical applications to the cloud – it is important to understand not only how the technology has evolved but also the new risks it brings to protect your company. There are many others here as well that are well worth the read around application security.
On a personal note – one area that is still too nascent is application virtualization. Today many standards and inventory tools check for drift or changes to the application in the actual application file itself. However, application virtualization files (yes files) are read only. Malicious code actually interjects into the User Data or Configuration Files. Until the standards are updated – it is best to create some sort of custom script or push your vendors to actually check those files for significant changes as a potential location of a malware attack. This holds true for both DMTF and CSA (otherwise they are spot on for the most part. Although I have heard of room for improvement needed for OVF. Would love more opinions that I can pass on).
SAS 70 or the new International Standard ISAE 3402. In case you don’t know what SAS 70 is – it is the Audit standard for outsourcers or hosting providers that must be passed in the U.S.
ITIL Sources – ITSMF – IT Service Management Forum, IT Governance Institute, & ISACAIT Infrastructure Library or ITIL is key element for most Cloud providers as it is the primary framework used in the majority of Enterprises in North America and Europe. The Control Objective Baseline for IT Standards is the framework not only used for ITIL but as the baseline to define standards and requirements for regulations. I found that by reading those standards from an IT and Technologist perspective it really helped to bridge the GAP between desired state from the business and reality from what is available (technology, tools perspective). There are quite a few good white papers and also publications on what the top discrepancies typically are during an IT Audit. An ounce of understanding is truly worth ten pounds of cure when you are looking to reduce risk and long term viability of your architecture.
The key guidance – do our homework, just because something worked for one individual or organization doesn’t necessarily make it viable or correct. Research the markets to ensure that the technology you are using will scale and fit into all the requirements from Security, Interoperability, Regulatory, and Business. In my last role I was able to bring one of the first regulated applications to an external cloud through working with the company to create a Hybrid architecture. It was the best of both worlds but really took some fine tuning to get all the regulatory (HIPAA), technology (App Virtualization, EC2/S3) and people requirements (Service Delivery, Service Support, etc). Beyond standards plan to educate your people on the newer technologies (end users as well as the business) and make sure that when audit comes you understand enough to defend the architecture put into place as not to impact your overall execution and go to market.
About the author