Professional Documents
Culture Documents
Agenda
Compliance Requirements
Privacy laws (state privacy laws)
Financial integrity (SOX)
Industry specific regulations
Health (HIPAA, HITECH)
Payment Card (PCI DSS)
Financial (GLB, FFIEC Guidelines)
Cloud Characteristics
On demand self service
Consumers provision computing capabilities, not service
providers
Compute power, storage, bandwidth, etc.
Resource pooling
Provider provides resources dynamically, assigning and
reassigned according to demand
Typically no consumer control or knowledge of location or
assignment to hardware
Measured service
Meter usage by various parameters depending on
service (e.g., storage, processing, bandwidth, user
accounts)
Reporting usage available
8
Software as a Service
Service providers application runs in the cloud
Consumer does not manage or control the
underlying infrastructure or application
capabilities
Direct compliance is the service providers
problem
Most regulations require consumers to verify
compliance and maintain contracts
10
Platform as a Service
Consumer deploys developed or acquired
applications using languages and tools provided
by the platform provider
Consumer does not manage or control the
underlying infrastructure (network, servers,
operating systems, or storage), but controls
application
Compliance burden is split between consumer
and provider with evaluation and contract
requirements on consumer
11
12
Deployment Models
Deployment models determine who has access to the cloud and what a
cloud is used for
Single/multiple organization use
Single/multiple purpose
Single multiple provider
Private
Community
Public
Hybrid
13
Private Cloud
Complications
other parties
shared purpose (e.g., storage recycling)
14
Community Cloud
Shared by several organizations and supports a specific community
with shared concerns
Mission, security, policy, compliance
Storage protection
Administration (who has access?)
Network mechanisms (encryption, segregation, intrusion detection)
Monitoring (who monitors? How reliable)
15
Public Cloud
Hybrid cloud
Composition of two or more clouds that remain unique
but support data and application portability
Compliance is complicated by multiple entities and
multiple environments
Who is responsible for what?
How does data move?
17
Problematic Requirements
Defining boundaries
PCI DSS requires all Cardholder Data Environment
systems to be compliant with requirements
How does cloud service define what systems and
networks are in scope versus out of scope
More problems
Monitoring of access
Design of cloud systems hides cloud infrastructure from consumer
System images may be copied, moved, backed up without consumers
knowledge
Physical security
Multiple sites, portability and transparency could result in movement of
services to less secure locations
Acceptance of responsibility
Cloud provider is part of the system and will be required to prove
compliance
Need methods to keep provider at arms length (no access, no data
exposure)
19
Conclusions
The definition of Cloud computing is so broad that reasoning about
general compliance is impossible
Private cloud provides the basis for meeting requirements, but may
undermine the benefits
Purpose-built clouds may have a future
Provably segregated environments
Guarantees of access control, communications protection, storage
protection
Contracts
20