Click here to close now.

Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, John Mancini, Pat Romanski, Tom Lounibos

Blog Feed Post

Can the Cloud survive regulation?

One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness.

Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by google Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” 

From a recent FT.com article:

In a 15-page complaint to the FTC, the Electronic Privacy Information Center (Epic) said recent reports suggested Google did not adequately protect the data it obtained. It cited vulnerabilities that revealed users' data in its Gmail webmail service, Google Docs online word processing and spreadsheets and in Google Desktop, which can index users' information held on their hard drives.

Google said it had not reviewed the filing in detail but it had "extensive policies, procedures and technologies in place to ensure the highest levels of data protection".

Privacy is mentioned as the primary concern, but reliability, too, is also mentioned as problematic in  the face of recent well-covered outages of the search-engine giant’s services. A recent nearly 24 hour windows_azure_smalloutage of Microsoft’s Azure, though admittedly of a pre-release cloud (is there really such a thing?), is certain to be cited as well as proof of the problems with reliability of cloud-based services.

Security professionals have questioned the security of the cloud, and of its suitability for applications falling under certain governmental regulations like HIPAA and BASEL II, as well as compliance with industry standard protections like PCI DSS.

GLOBAL CONCERN

What we see beginning to happen is that the cloud, with its lack of boundaries and recognition for industry and national boundaries, may fall subject to myriad – potentially conflicting – regulations regarding privacy and compliance. The US is certainly concerned with privacy, but in recent years the UK and European Union in general has surpassed even its national culture of concern regarding privacy.

Many of the EU laws and regulations regarding privacy are tougher than those in the US and elsewhere in the world, and the collision of these regulations may in fact cause cloud providers to reconsider  their global scope. Indeed, even conflicting requirements across industries may be enough to warrant something akin to the creation of “niche” clouds; cloud centers serving specific segments of industry based on the need for compliance with specific regulations both in the US and abroad.

A generalized cloud may not be able to serve all industries or all countries if regulations conflict without severely impacting the ability of other industries and countries to take advantage of the shared resources of the cloud.

Regulations around privacy and protection of data go deeper than the surface, the application. The toughest of regulations require certification of compliance from the application down to the hardware; through the infrastructure. It is at the infrastructure layer – the servers, virtualization implementation, routers, switches, and application delivery network – that the impact of compliance and regulations may be felt by industries and countries for whom these regulations are not a concern.

SHARING MORE THAN RESOURCES

While certain it appears on the surface that additional security and privacy mechanisms in the cloud would be a good thing for all customers, it is the impact that security and privacy implementations can have on the performance and capacity of the cloud that may actually increase the costs to everyone attempting to leverage cloud computing services.

Because the cloud is a shared environment, providers like Google and Microsoft must necessarily be aware that while today a given set of servers and infrastructure is serving up Bob’s Web 2.0 Social Networking and Microblogging Application, tomorrow – or in the next hour – it may be required to run cloudweban application that is more sensitive in terms of privacy and confidentiality, such as health records. While the applicability of regulations such as HIPAA to user initiated storage and transfer of records has rarely been discussed yet, it is only a matter of time before privacy concerns are raised regarding this type of personally identifiable information.

Even a strategy as simple as instituting SSL everywhere in the cloud, to ensure the private transfer of data regardless of its need to comply with governmental and industry regulation, can have a negative effect. The additional compute processing required to handle SSL can ultimately be the cause of degraded performance and capacity on servers, meaning Bob may need to pay for additional instances in order to maintain a level of performance and user concurrency with which he is satisfied. Additional instances cost money, the cloud ain’t really free, and the impact of regulations begins to be felt by everyone.

Financial services, who seem an unlikely customer of the cloud, are highly sensitized to the impact of latency and outages on their business. The additional burden of privacy and security implementations throughout the cloud infrastructure may very well make the cloud a truly hostile environment for such organizations, such that they will never adopt cloud as a viable alternative. Health care and related industries fall under the heavy-handed strictures set down by government regulations such as HIPAA in the US, requiring specific security related to the transfer of personally identifiable information that is not necessarily addressed by today’s cloud computing providers, Google Health not withstanding.

The effects of additional infrastructure and solutions and even cloud architecture designed to appease the needs of governments and industries will affect every user of the cloud, necessarily, because it’s a shared environment. Isolation of traffic, encryption, secure logs, audit trails, and other security and privacy related solutions must be universally applied because the resources within the cloud are ostensibly universally used. Whether an application needs it or not, whether the user wants it or not, becomes irrelevant because it is the cloud provider who is now participating in the compliance process and it must ensure that it meets the demands of regulations imposed across industries and international boundaries. 

THE RISE of the REGULATED CLOUD?

It may be that we will see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.

The alternative is, of course, to implement a cloud architecture comprising an infrastructure and solutions designed to meet the most demanding of regulations and industry-specific needs. Doing so ensures that all users, regardless of which regulations they may fall under, are covered and need not worry about compliance. But the cost of doing so will not be trivial, and is sure to be passed on to all users one way or another. Such implementations would surely be explained away as “benefits” to all users (See? You get security and data protection *for free*!) but the reality is that the cost will be hidden in degraded capacity and performance that ultimately raise the long-term costs of doing business in the cloud.

With demands from organizations like Epic to shut down Google, and concerns raised by multiple industries on the reliability and security of the cloud in general, we are just beginning to see the impact of what sharing and “international” really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Reblog this post [with Zemanta]

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
Containers have changed the mind of IT in DevOps. They enable developers to work with dev, test, stage and production environments identically. Containers provide the right abstraction for microservices and many cloud platforms have integrated them into deployment pipelines. DevOps and Containers together help companies to achieve their business goals faster and more effectively. In his session at DevOps Summit, Ruslan Synytsky, CEO and Co-founder of Jelastic, reviewed the current landscape of...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
IT data is typically silo'd by the various tools in place. Unifying all the log, metric and event data in one analytics platform stops finger pointing and provides the end-to-end correlation. Logs, metrics and custom event data can be joined to tell the holistic story of your software and operations. For example, users can correlate code deploys to system performance to application error codes. In his session at DevOps Summit, Michael Demmer, VP of Engineering at Jut, will discuss how this can...
The last decade was about virtual machines, but the next one is about containers. Containers enable a service to run on any host at any time. Traditional tools are starting to show cracks because they were not designed for this level of application portability. Now is the time to look at new ways to deploy and manage applications at scale. In his session at @DevOpsSummit, Brian “Redbeard” Harrington, a principal architect at CoreOS, will examine how CoreOS helps teams run in production. Attende...
Containers are revolutionizing the way we deploy and maintain our infrastructures, but monitoring and troubleshooting in a containerized environment can still be painful and impractical. Understanding even basic resource usage is difficult – let alone tracking network connections or malicious activity. In his session at DevOps Summit, Gianluca Borello, Sr. Software Engineer at Sysdig, will cover the current state of the art for container monitoring and visibility, including pros / cons and liv...
Live Webinar with 451 Research Analyst Peter Christy. Join us on Wednesday July 22, 2015, at 10 am PT / 1 pm ET In a world where users are on the Internet and the applications are in the cloud, how do you maintain your historic SLA with your users? Peter Christy, Research Director, Networks at 451 Research, will discuss this new network paradigm, one in which there is no LAN and no WAN, and discuss what users and network administrators gain and give up when migrating to the agile world of clo...
Agile, which started in the development organization, has gradually expanded into other areas downstream - namely IT and Operations. Teams – then teams of teams – have streamlined processes, improved feedback loops and driven a much faster pace into IT departments which have had profound effects on the entire organization. In his session at DevOps Summit, Anders Wallgren, Chief Technology Officer of Electric Cloud, will discuss how DevOps and Continuous Delivery have emerged to help connect dev...
WebRTC converts the entire network into a ubiquitous communications cloud thereby connecting anytime, anywhere through any point. In his session at WebRTC Summit,, Mark Castleman, EIR at Bell Labs and Head of Future X Labs, will discuss how the transformational nature of communications is achieved through the democratizing force of WebRTC. WebRTC is doing for voice what HTML did for web content.
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of pro...
"A lot of the enterprises that have been using our systems for many years are reaching out to the cloud - the public cloud, the private cloud and hybrid," stated Reuven Harrison, CTO and Co-Founder of Tufin, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, discussed how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at th...
"We have a tagline - "Power in the API Economy." What that means is everything that is built in applications and connected applications is done through APIs," explained Roberto Medrano, Executive Vice President at Akana, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Internet of Things is moving from being a hype to a reality. Experts estimate that internet connected cars will grow to 152 million, while over 100 million internet connected wireless light bulbs and lamps will be operational by 2020. These and many other intriguing statistics highlight the importance of Internet powered devices and how market penetration is going to multiply many times over in the next few years.
In his session at 16th Cloud Expo, Simone Brunozzi, VP and Chief Technologist of Cloud Services at VMware, reviewed the changes that the cloud computing industry has gone through over the last five years and shared insights into what the next five will bring. He also chronicled the challenges enterprise companies are facing as they move to the public cloud. He delved into the "Hybrid Cloud" space and explained why every CIO should consider ‘hybrid cloud' as part of their future strategy to achi...
"We help to transform an organization and their operations and make them more efficient, more agile, and more nimble to move into the cloud or to move between cloud providers and create an agnostic tool set," noted Jeremy Steinert, DevOps Services Practice Lead at WSM International, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
The basic integration architecture, as defined by ESBs, hasn’t changed for more than a decade. Most cloud integration providers still rely on an ESB architecture and their proprietary connectors. As a result, enterprise integration projects suffer from constraints of availability and reliability of these connectors that are not re-usable across other integration vendors. However, the rapid adoption of APIs and almost ubiquitous availability of APIs amongst most SaaS and Cloud applications are ra...
"What Dyn is able to do with our Internet performance and our Internet intelligence is give companies visibility into what is actually going on in that cloud," noted Corey Hamilton, Product Marketing Manager at Dyn, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Manufacturing has widely adopted standardized and automated processes to create designs, build them, and maintain them through their life cycle. However, many modern manufacturing systems go beyond mechanized workflows to introduce empowered workers, flexible collaboration, and rapid iteration. Such behaviors also characterize open source software development and are at the heart of DevOps culture, processes, and tooling.
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, will explore the IoT cloud-based platform technologies drivi...