Welcome!

Cloud Expo Authors: Greg Ness, Bernard Golden, Roger Strukhoff, Elizabeth White, Carmen Gonzalez

Blog Feed Post

Can the Cloud survive regulation?

One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness.

Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by google Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” 

From a recent FT.com article:

In a 15-page complaint to the FTC, the Electronic Privacy Information Center (Epic) said recent reports suggested Google did not adequately protect the data it obtained. It cited vulnerabilities that revealed users' data in its Gmail webmail service, Google Docs online word processing and spreadsheets and in Google Desktop, which can index users' information held on their hard drives.

Google said it had not reviewed the filing in detail but it had "extensive policies, procedures and technologies in place to ensure the highest levels of data protection".

Privacy is mentioned as the primary concern, but reliability, too, is also mentioned as problematic in  the face of recent well-covered outages of the search-engine giant’s services. A recent nearly 24 hour windows_azure_smalloutage of Microsoft’s Azure, though admittedly of a pre-release cloud (is there really such a thing?), is certain to be cited as well as proof of the problems with reliability of cloud-based services.

Security professionals have questioned the security of the cloud, and of its suitability for applications falling under certain governmental regulations like HIPAA and BASEL II, as well as compliance with industry standard protections like PCI DSS.

GLOBAL CONCERN

What we see beginning to happen is that the cloud, with its lack of boundaries and recognition for industry and national boundaries, may fall subject to myriad – potentially conflicting – regulations regarding privacy and compliance. The US is certainly concerned with privacy, but in recent years the UK and European Union in general has surpassed even its national culture of concern regarding privacy.

Many of the EU laws and regulations regarding privacy are tougher than those in the US and elsewhere in the world, and the collision of these regulations may in fact cause cloud providers to reconsider  their global scope. Indeed, even conflicting requirements across industries may be enough to warrant something akin to the creation of “niche” clouds; cloud centers serving specific segments of industry based on the need for compliance with specific regulations both in the US and abroad.

A generalized cloud may not be able to serve all industries or all countries if regulations conflict without severely impacting the ability of other industries and countries to take advantage of the shared resources of the cloud.

Regulations around privacy and protection of data go deeper than the surface, the application. The toughest of regulations require certification of compliance from the application down to the hardware; through the infrastructure. It is at the infrastructure layer – the servers, virtualization implementation, routers, switches, and application delivery network – that the impact of compliance and regulations may be felt by industries and countries for whom these regulations are not a concern.

SHARING MORE THAN RESOURCES

While certain it appears on the surface that additional security and privacy mechanisms in the cloud would be a good thing for all customers, it is the impact that security and privacy implementations can have on the performance and capacity of the cloud that may actually increase the costs to everyone attempting to leverage cloud computing services.

Because the cloud is a shared environment, providers like Google and Microsoft must necessarily be aware that while today a given set of servers and infrastructure is serving up Bob’s Web 2.0 Social Networking and Microblogging Application, tomorrow – or in the next hour – it may be required to run cloudweban application that is more sensitive in terms of privacy and confidentiality, such as health records. While the applicability of regulations such as HIPAA to user initiated storage and transfer of records has rarely been discussed yet, it is only a matter of time before privacy concerns are raised regarding this type of personally identifiable information.

Even a strategy as simple as instituting SSL everywhere in the cloud, to ensure the private transfer of data regardless of its need to comply with governmental and industry regulation, can have a negative effect. The additional compute processing required to handle SSL can ultimately be the cause of degraded performance and capacity on servers, meaning Bob may need to pay for additional instances in order to maintain a level of performance and user concurrency with which he is satisfied. Additional instances cost money, the cloud ain’t really free, and the impact of regulations begins to be felt by everyone.

Financial services, who seem an unlikely customer of the cloud, are highly sensitized to the impact of latency and outages on their business. The additional burden of privacy and security implementations throughout the cloud infrastructure may very well make the cloud a truly hostile environment for such organizations, such that they will never adopt cloud as a viable alternative. Health care and related industries fall under the heavy-handed strictures set down by government regulations such as HIPAA in the US, requiring specific security related to the transfer of personally identifiable information that is not necessarily addressed by today’s cloud computing providers, Google Health not withstanding.

The effects of additional infrastructure and solutions and even cloud architecture designed to appease the needs of governments and industries will affect every user of the cloud, necessarily, because it’s a shared environment. Isolation of traffic, encryption, secure logs, audit trails, and other security and privacy related solutions must be universally applied because the resources within the cloud are ostensibly universally used. Whether an application needs it or not, whether the user wants it or not, becomes irrelevant because it is the cloud provider who is now participating in the compliance process and it must ensure that it meets the demands of regulations imposed across industries and international boundaries. 

THE RISE of the REGULATED CLOUD?

It may be that we will see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.

The alternative is, of course, to implement a cloud architecture comprising an infrastructure and solutions designed to meet the most demanding of regulations and industry-specific needs. Doing so ensures that all users, regardless of which regulations they may fall under, are covered and need not worry about compliance. But the cost of doing so will not be trivial, and is sure to be passed on to all users one way or another. Such implementations would surely be explained away as “benefits” to all users (See? You get security and data protection *for free*!) but the reality is that the cost will be hidden in degraded capacity and performance that ultimately raise the long-term costs of doing business in the cloud.

With demands from organizations like Epic to shut down Google, and concerns raised by multiple industries on the reliability and security of the cloud in general, we are just beginning to see the impact of what sharing and “international” really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Reblog this post [with Zemanta]

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo, moderated by Ashar Baig, Research ...
In her General Session at 15th Cloud Expo, Anne Plese, Senior Consultant, Cloud Product Marketing, at Verizon Enterprise, will focus on finding the right mix of renting vs. buying Oracle capacity to scale to meet business demands, and offer validated Oracle database TCO models for Oracle development and testing environments. Anne Plese is a marketing and technology enthusiast/realist with over 19+ years in high tech. At Verizon Enterprise, she focuses on driving growth for the Verizon Cloud pla...
StackIQ offers a comprehensive software suite that automates the deployment, provisioning, and management of Big Infrastructure. With StackIQ’s software, you can spin up fully configured big data clusters, quickly and consistently — from bare-metal up to the applications layer — and manage them efficiently. Our software’s modular architecture allows customers to integrate nearly any application with the StackIQ software stack.
As Platform as a Service (PaaS) matures as a category, developers should have the ability to use the programming language of their choice to build applications and have access to a wide array of services. Bluemix is IBM's open cloud development platform that enables users to easily build cloud-based, creative mobile and web applications without having to spend large amounts of time and resources on configuring infrastructure and multiple software licenses. In this track, you will learn about the...
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at Internet of @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, will discuss how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money! Speaker Bio: ...
Compute virtualization has been transformational, yet security policy implementation and enforcement has lagged behind in agility and automation. There are a number of key considerations when implementing policy in private and hybrid clouds. In his session at 15th Cloud Expo, Holland Barry, VP of Technology at Catbird, will discuss the impact of this new paradigm and what organizations can do today to safely move to software-defined network and compute architectures, including: How normal ope...
Samsung VP Jacopo Lenzi, who headed the company's recent SmartThings acquisition under the auspices of Samsung's Open Innovaction Center (OIC), answered a few questions we had about the deal. This interview was in conjunction with our interview with SmartThings CEO Alex Hawkinson. IoT Journal: SmartThings was developed in an open, standards-agnostic platform, and will now be part of Samsung's Open Innovation Center. Can you elaborate on your commitment to keep the platform open? Jacopo Lenzi: S...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic • Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff hap...
SYS-CON Events announced today that SOA Software, an API management leader, will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. SOA Software is a leading provider of API Management and SOA Governance products that equip business to deliver APIs and SOA together to drive their company to meet its business strategy quickly and effectively. SOA Software’s technology helps businesses to accel...
SYS-CON Events announced today that Utimaco will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Utimaco is a leading manufacturer of hardware based security solutions that provide the root of trust to keep cryptographic keys safe, secure critical digital infrastructures and protect high value data assets. Only Utimaco delivers a general-purpose hardware security module (HSM) as a customiz...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
SYS-CON Events announced today that ElasticBox is holding a Hackathon at DevOps Summit, November 6 from 12 pm -4 pm at the Santa Clara Convention Center in Santa Clara, CA. You can enter as an individual or team of up to 10 developers. A New Star Is Born Every Month! All completed ElasticBoxes will then be sent to a judging panel - 12 winners will be featured on the ElasticBox website in 2015. All entrants will receive five full enterprise licenses for one year + ElasticBox headphones + Elasti...
Once the decision has been made to move part or all of a workload to the cloud, a methodology for selecting that workload needs to be established. How do you move to the cloud? What does the discovery, assessment and planning look like? What workloads make sense? Which cloud model makes sense for each workload? What are the considerations for how to select the right cloud model? And how does that fit in with the overall IT tranformation? In his session at 15th Cloud Expo, John Hatem, head of V...
Cloud services are the newest tool in the arsenal of IT products in the market today. These cloud services integrate process and tools. In order to use these products effectively, organizations must have a good understanding of themselves and their business requirements. In his session at 15th Cloud Expo, Brian Lewis, Principal Architect at Verizon Cloud, will outline key areas of organizational focus, and how to formalize an actionable plan when migrating applications and internal services to...
SAP is delivering break-through innovation combined with fantastic user experience powered by the market-leading in-memory technology, SAP HANA. In his General Session at 15th Cloud Expo, Thorsten Leiduck, VP ISVs & Digital Commerce, SAP, will discuss how SAP and partners provide cloud and hybrid cloud solutions as well as real-time Big Data offerings that help companies of all sizes and industries run better. SAP launched an application challenge to award the most innovative SAP HANA and SAP ...
Ixia develops amazing products so its customers can connect the world. Ixia helps its customers provide an always-on user experience through fast, secure delivery of dynamic connected technologies and services. Through actionable insights that accelerate and secure application and service delivery, Ixia's customers benefit from faster time to market, optimized application performance and higher-quality deployments.
SYS-CON Events announced today that Calm.io has been named “Bronze Sponsor” of DevOps Summit Silicon Valley, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Calm.io is a cloud orchestration platform for AWS, vCenter, OpenStack, or bare metal, that runs your CL tools puppet, Chef, shell, git, Jenkins, nagios, and will soon support New Relic and Docker. It can run hosted, or on premise and provides VM automation / expiry, self-service portals,...
SYS-CON Events announced today that Aria Systems, the recurring revenue expert, has been named "Bronze Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Aria Systems helps leading businesses connect their customers with the products and services they love. Industry leaders like Pitney Bowes, Experian, AAA NCNU, VMware, HootSuite and many others choose Aria to power their recurring revenue bu...
The Internet of Things (IoT) is going to require a new way of thinking and of developing software for speed, security and innovation. This requires IT leaders to balance business as usual while anticipating for the next market and technology trends. Cloud provides the right IT asset portfolio to help today’s IT leaders manage the old and prepare for the new. Today the cloud conversation is evolving from private and public to hybrid. This session will provide use cases and insights to reinforce t...
Blue Box has closed a $10 million Series B financing. The round was led by a strategic investor and included participation from prior investors including Voyager Capital and Founders Collective, as well as the Blue Box executive team. This round follows a $4.3 million Series A closed in December of 2012 and led by Voyager Capital. In May of this year, the company announced general availability of its private cloud as a service offering, Blue Box Cloud. Since that release, the company has dem...