Click here to close now.

Welcome!

Cloud Expo Authors: Liz McMillan, Elizabeth White, Carmen Gonzalez, Pat Romanski, Jnan Dash

Blog Feed Post

Can the Cloud survive regulation?

One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness.

Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by google Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” 

From a recent FT.com article:

In a 15-page complaint to the FTC, the Electronic Privacy Information Center (Epic) said recent reports suggested Google did not adequately protect the data it obtained. It cited vulnerabilities that revealed users' data in its Gmail webmail service, Google Docs online word processing and spreadsheets and in Google Desktop, which can index users' information held on their hard drives.

Google said it had not reviewed the filing in detail but it had "extensive policies, procedures and technologies in place to ensure the highest levels of data protection".

Privacy is mentioned as the primary concern, but reliability, too, is also mentioned as problematic in  the face of recent well-covered outages of the search-engine giant’s services. A recent nearly 24 hour windows_azure_smalloutage of Microsoft’s Azure, though admittedly of a pre-release cloud (is there really such a thing?), is certain to be cited as well as proof of the problems with reliability of cloud-based services.

Security professionals have questioned the security of the cloud, and of its suitability for applications falling under certain governmental regulations like HIPAA and BASEL II, as well as compliance with industry standard protections like PCI DSS.

GLOBAL CONCERN

What we see beginning to happen is that the cloud, with its lack of boundaries and recognition for industry and national boundaries, may fall subject to myriad – potentially conflicting – regulations regarding privacy and compliance. The US is certainly concerned with privacy, but in recent years the UK and European Union in general has surpassed even its national culture of concern regarding privacy.

Many of the EU laws and regulations regarding privacy are tougher than those in the US and elsewhere in the world, and the collision of these regulations may in fact cause cloud providers to reconsider  their global scope. Indeed, even conflicting requirements across industries may be enough to warrant something akin to the creation of “niche” clouds; cloud centers serving specific segments of industry based on the need for compliance with specific regulations both in the US and abroad.

A generalized cloud may not be able to serve all industries or all countries if regulations conflict without severely impacting the ability of other industries and countries to take advantage of the shared resources of the cloud.

Regulations around privacy and protection of data go deeper than the surface, the application. The toughest of regulations require certification of compliance from the application down to the hardware; through the infrastructure. It is at the infrastructure layer – the servers, virtualization implementation, routers, switches, and application delivery network – that the impact of compliance and regulations may be felt by industries and countries for whom these regulations are not a concern.

SHARING MORE THAN RESOURCES

While certain it appears on the surface that additional security and privacy mechanisms in the cloud would be a good thing for all customers, it is the impact that security and privacy implementations can have on the performance and capacity of the cloud that may actually increase the costs to everyone attempting to leverage cloud computing services.

Because the cloud is a shared environment, providers like Google and Microsoft must necessarily be aware that while today a given set of servers and infrastructure is serving up Bob’s Web 2.0 Social Networking and Microblogging Application, tomorrow – or in the next hour – it may be required to run cloudweban application that is more sensitive in terms of privacy and confidentiality, such as health records. While the applicability of regulations such as HIPAA to user initiated storage and transfer of records has rarely been discussed yet, it is only a matter of time before privacy concerns are raised regarding this type of personally identifiable information.

Even a strategy as simple as instituting SSL everywhere in the cloud, to ensure the private transfer of data regardless of its need to comply with governmental and industry regulation, can have a negative effect. The additional compute processing required to handle SSL can ultimately be the cause of degraded performance and capacity on servers, meaning Bob may need to pay for additional instances in order to maintain a level of performance and user concurrency with which he is satisfied. Additional instances cost money, the cloud ain’t really free, and the impact of regulations begins to be felt by everyone.

Financial services, who seem an unlikely customer of the cloud, are highly sensitized to the impact of latency and outages on their business. The additional burden of privacy and security implementations throughout the cloud infrastructure may very well make the cloud a truly hostile environment for such organizations, such that they will never adopt cloud as a viable alternative. Health care and related industries fall under the heavy-handed strictures set down by government regulations such as HIPAA in the US, requiring specific security related to the transfer of personally identifiable information that is not necessarily addressed by today’s cloud computing providers, Google Health not withstanding.

The effects of additional infrastructure and solutions and even cloud architecture designed to appease the needs of governments and industries will affect every user of the cloud, necessarily, because it’s a shared environment. Isolation of traffic, encryption, secure logs, audit trails, and other security and privacy related solutions must be universally applied because the resources within the cloud are ostensibly universally used. Whether an application needs it or not, whether the user wants it or not, becomes irrelevant because it is the cloud provider who is now participating in the compliance process and it must ensure that it meets the demands of regulations imposed across industries and international boundaries. 

THE RISE of the REGULATED CLOUD?

It may be that we will see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.

The alternative is, of course, to implement a cloud architecture comprising an infrastructure and solutions designed to meet the most demanding of regulations and industry-specific needs. Doing so ensures that all users, regardless of which regulations they may fall under, are covered and need not worry about compliance. But the cost of doing so will not be trivial, and is sure to be passed on to all users one way or another. Such implementations would surely be explained away as “benefits” to all users (See? You get security and data protection *for free*!) but the reality is that the cost will be hidden in degraded capacity and performance that ultimately raise the long-term costs of doing business in the cloud.

With demands from organizations like Epic to shut down Google, and concerns raised by multiple industries on the reliability and security of the cloud in general, we are just beginning to see the impact of what sharing and “international” really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Reblog this post [with Zemanta]

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
SYS-CON Events announced today that ActiveState, the leading independent Cloud Foundry and Docker-based PaaS provider, has been named “Silver Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. ActiveState believes that enterprises gain a competitive advantage when they are able to quickly create, deploy and efficiently manage software solutions that immediately create business value, but they face many challenges that ...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes ...
SYS-CON Events announced today that Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® and DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo® and DevOps Summit 2015 Silicon Valley, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Plutora, Inc., the leading global provider of enterprise release management and test environment management SaaS solutions, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Headquartered in Mountain View, California, Plutora provides enterprise release management and test environment SaaS solutions to clients in North America, Europe and Asia Pacific. Leading companies ...
SYS-CON Events announced today that kintone has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. kintone promotes cloud-based workgroup productivity, transparency and profitability with a seamless collaboration space, build your own business applic...
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Thi...
SYS-CON Events announced today that CommVault has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. A singular vision – a belief in a better way to address current and future data management needs – guides CommVault in the development of Singular In...
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud....
SYS-CON Events announced today that FierceDevOps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. FierceDevOps keeps software developers and IT operations personnel updated on the latest news and trends around the rapidly evolving role of the traditional IT worker.
SYS-CON Events announced today that QTS Realty Trust, one of the nation’s largest and fastest-growing providers of data center facilities and cloud services and a leader in security and compliance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. QTS Realty Trust, Inc. (NYSE: QTS) is a leading national provider of data center solutions and fully managed services, and a leader in security and compliance...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
SYS-CON Events announced today that IndependenceIT, a leading software provider of simplified IT management solutions for workspaces, applications and desktops-as-a-service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IndependenceIT's Cloud Workspace® Suite combines application, end-user and infrastructure management into a seamless, easy-to-manage platform, with a unified management interface an...
SYS-CON Events announced today that WSM International (WSM), the world’s leading cloud and server migration services provider, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. WSM is a solutions integrator with a core focus on cloud and server migration, transformation and DevOps services.
SYS-CON Events announced today that that Innodisk, the service-driven provider of industrial embedded flash and DRAM storage products and technologies, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Innodisk is a service-driven provider of industrial embedded flash and DRAM storage products and technologies. With satisfied customers across the embedded, aerospace and defense, cloud storage markets an...
SYS-CON Events announced today that StorPool Storage will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. StorPool is distributed storage software that allows service providers, enterprises and other cloud builders to run data storage on standard x86 servers, instead of using expensive and inefficient storage arrays (SAN).
SYS-CON Events announced today that Site24x7, the cloud infrastructure monitoring service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Site24x7 is a cloud infrastructure monitoring service that helps monitor the uptime and performance of websites, online applications, servers, mobile websites and custom APIs. The monitoring is done from 50+ locations across the world and from various wireless carr...
SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
SYS-CON Events announced today that Intelligent Systems Services will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1994, Intelligent Systems Services Inc. is located near Washington, DC, with representatives and partners nationwide. ISS’s well-established track record is based on the continuous pursuit of excellence in designing, implementing and supporting nationwide clients’ mission-cri...
While DevOps most critically and famously fosters collaboration, communication, and integration through cultural change, culture is more of an output than an input. In order to actively drive cultural evolution, organizations must make substantial organizational and process changes, and adopt new technologies, to encourage a DevOps culture. Moderated by Andi Mann, panelists will discuss how to balance these three pillars of DevOps, where to focus attention (and resources), where organizations m...
How do you securely enable access to your applications in AWS without exposing any attack surfaces? The answer is usually very complicated because application environments morph over time in response to growing requirements from your employee base, your partners and your customers. In his session at 16th Cloud Expo, Haseeb Budhani, CEO and Co-founder of Soha, will share five common approaches that DevOps teams follow to secure access to applications deployed in AWS, Azure, etc., and the frict...