Click here to close now.




















Welcome!

@CloudExpo Authors: Liz McMillan, Srinivasan Sundara Rajan, Dan Koloski, Pat Romanski, Elizabeth White

Blog Feed Post

Can the Cloud survive regulation?

One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness.

Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by google Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” 

From a recent FT.com article:

In a 15-page complaint to the FTC, the Electronic Privacy Information Center (Epic) said recent reports suggested Google did not adequately protect the data it obtained. It cited vulnerabilities that revealed users' data in its Gmail webmail service, Google Docs online word processing and spreadsheets and in Google Desktop, which can index users' information held on their hard drives.

Google said it had not reviewed the filing in detail but it had "extensive policies, procedures and technologies in place to ensure the highest levels of data protection".

Privacy is mentioned as the primary concern, but reliability, too, is also mentioned as problematic in  the face of recent well-covered outages of the search-engine giant’s services. A recent nearly 24 hour windows_azure_smalloutage of Microsoft’s Azure, though admittedly of a pre-release cloud (is there really such a thing?), is certain to be cited as well as proof of the problems with reliability of cloud-based services.

Security professionals have questioned the security of the cloud, and of its suitability for applications falling under certain governmental regulations like HIPAA and BASEL II, as well as compliance with industry standard protections like PCI DSS.

GLOBAL CONCERN

What we see beginning to happen is that the cloud, with its lack of boundaries and recognition for industry and national boundaries, may fall subject to myriad – potentially conflicting – regulations regarding privacy and compliance. The US is certainly concerned with privacy, but in recent years the UK and European Union in general has surpassed even its national culture of concern regarding privacy.

Many of the EU laws and regulations regarding privacy are tougher than those in the US and elsewhere in the world, and the collision of these regulations may in fact cause cloud providers to reconsider  their global scope. Indeed, even conflicting requirements across industries may be enough to warrant something akin to the creation of “niche” clouds; cloud centers serving specific segments of industry based on the need for compliance with specific regulations both in the US and abroad.

A generalized cloud may not be able to serve all industries or all countries if regulations conflict without severely impacting the ability of other industries and countries to take advantage of the shared resources of the cloud.

Regulations around privacy and protection of data go deeper than the surface, the application. The toughest of regulations require certification of compliance from the application down to the hardware; through the infrastructure. It is at the infrastructure layer – the servers, virtualization implementation, routers, switches, and application delivery network – that the impact of compliance and regulations may be felt by industries and countries for whom these regulations are not a concern.

SHARING MORE THAN RESOURCES

While certain it appears on the surface that additional security and privacy mechanisms in the cloud would be a good thing for all customers, it is the impact that security and privacy implementations can have on the performance and capacity of the cloud that may actually increase the costs to everyone attempting to leverage cloud computing services.

Because the cloud is a shared environment, providers like Google and Microsoft must necessarily be aware that while today a given set of servers and infrastructure is serving up Bob’s Web 2.0 Social Networking and Microblogging Application, tomorrow – or in the next hour – it may be required to run cloudweban application that is more sensitive in terms of privacy and confidentiality, such as health records. While the applicability of regulations such as HIPAA to user initiated storage and transfer of records has rarely been discussed yet, it is only a matter of time before privacy concerns are raised regarding this type of personally identifiable information.

Even a strategy as simple as instituting SSL everywhere in the cloud, to ensure the private transfer of data regardless of its need to comply with governmental and industry regulation, can have a negative effect. The additional compute processing required to handle SSL can ultimately be the cause of degraded performance and capacity on servers, meaning Bob may need to pay for additional instances in order to maintain a level of performance and user concurrency with which he is satisfied. Additional instances cost money, the cloud ain’t really free, and the impact of regulations begins to be felt by everyone.

Financial services, who seem an unlikely customer of the cloud, are highly sensitized to the impact of latency and outages on their business. The additional burden of privacy and security implementations throughout the cloud infrastructure may very well make the cloud a truly hostile environment for such organizations, such that they will never adopt cloud as a viable alternative. Health care and related industries fall under the heavy-handed strictures set down by government regulations such as HIPAA in the US, requiring specific security related to the transfer of personally identifiable information that is not necessarily addressed by today’s cloud computing providers, Google Health not withstanding.

The effects of additional infrastructure and solutions and even cloud architecture designed to appease the needs of governments and industries will affect every user of the cloud, necessarily, because it’s a shared environment. Isolation of traffic, encryption, secure logs, audit trails, and other security and privacy related solutions must be universally applied because the resources within the cloud are ostensibly universally used. Whether an application needs it or not, whether the user wants it or not, becomes irrelevant because it is the cloud provider who is now participating in the compliance process and it must ensure that it meets the demands of regulations imposed across industries and international boundaries. 

THE RISE of the REGULATED CLOUD?

It may be that we will see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.

The alternative is, of course, to implement a cloud architecture comprising an infrastructure and solutions designed to meet the most demanding of regulations and industry-specific needs. Doing so ensures that all users, regardless of which regulations they may fall under, are covered and need not worry about compliance. But the cost of doing so will not be trivial, and is sure to be passed on to all users one way or another. Such implementations would surely be explained away as “benefits” to all users (See? You get security and data protection *for free*!) but the reality is that the cost will be hidden in degraded capacity and performance that ultimately raise the long-term costs of doing business in the cloud.

With demands from organizations like Epic to shut down Google, and concerns raised by multiple industries on the reliability and security of the cloud in general, we are just beginning to see the impact of what sharing and “international” really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Reblog this post [with Zemanta]

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
"We've just seen a huge influx of new partners coming into our ecosystem, and partners building unique offerings on top of our API set," explained Seth Bostock, Chief Executive Officer at IndependenceIT, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
Chuck Piluso presented a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Prior to Secure Infrastructure and Services, Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of International Te...
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society-changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his session at @ThingsExpo, Jason Mondanaro, Director, Product Management at Metanga, discussed how you can plan to cooperate, partner, and form lasting all-star teams to change the world...
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
SYS-CON Events announced today that MobiDev, a software development company, will exhibit at the 17th International Cloud Expo®, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software development company with representative offices in Atlanta (US), Sheffield (UK) and Würzburg (Germany); and development centers in Ukraine. Since 2009 it has grown from a small group of passionate engineers and business managers to a full-scale mobi...
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of pro...
Discussions about cloud computing are evolving into discussions about enterprise IT in general. As enterprises increasingly migrate toward their own unique clouds, new issues such as the use of containers and microservices emerge to keep things interesting. In this Power Panel at 16th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the state of cloud computing today, and what enterprise IT professionals need to know about how the latest topics and trends affect t...
The essence of cloud computing is that all consumable IT resources are delivered as services. In his session at 15th Cloud Expo, Yung Chou, Technology Evangelist at Microsoft, demonstrated the concepts and implementations of two important cloud computing deliveries: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). He discussed from business and technical viewpoints what exactly they are, why we care, how they are different and in what ways, and the strategies for IT to tran...
Containers are changing the security landscape for software development and deployment. As with any security solutions, security approaches that work for developers, operations personnel and security professionals is a requirement. In his session at DevOps Summit, Kevin Gilpin, CTO and Co-Founder of Conjur, will discuss various security considerations for container-based infrastructure and related DevOps workflows.
Countless business models have spawned from the IaaS industry. Resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his General Session at 16th Cloud Expo, Phil Jackson, Lead Technology Evangelist at SoftLayer, broke down what we've got to work with and discuss the benefits and pitfalls to discover how we can best use them to d...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
SYS-CON Events announced today that Agema Systems will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Agema Systems is the leading provider of critical white-box rack solutions to data centers through the major integrators and value added distribution channels.
"Our biggest growth area has been the security services, the managed services - the things that differentiate us in the market that there is no client that's too small and there's no client that's too big," explained Paul Mazzucco, Chief Security Officer at TierPoint, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, discussed IoE and the enormous opportunities it provides to public and private firms alike. She will share w...
"Alert Logic is a managed security service provider that basically deploys technologies, but we support those technologies with the people and process behind it," stated Stephen Coty, Chief Security Evangelist at Alert Logic, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
"We specialize in testing. DevOps is all about continuous delivery and accelerating the delivery pipeline and there is no continuous delivery without testing," noted Marc Hornbeek, Sr. Solutions Architect at Spirent Communications, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.