This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - Cloud compliance: Who's responsible?: Read more in this section
- Whose responsibility is it to make sure customers achieve cloud compliance?
- PCI-compliant cloud services: An art, not a science
- FISMA compliance through continuous monitoring
Explore other sections in this guide:
- 2. - Accommodating customers: How far should you go?
- 3. - Can FedRAMP compliance boost adoption?
- 4. - HIPAA: Improving healthcare's relationship with the cloud
Enterprise customers who ask cloud providers for help with cloud compliance requirements may be looking in all the wrong places. Although cloud providers need to understand the regulatory standards their customers are subject to, the onus of achieving cloud compliance is on the customer.
Cloud providers should offer transparency in their service offerings, so that customers with regulatory compliance considerations attached to their data can select the most appropriate cloud environment -- which can include private, public or hybrid environments. Cloud providers should present infrastructure options to customers, keeping in mind that while there may not be a technical solution to solve cloud compliance concerns, cloud infrastructure options -- like shared or single-tenant environments -- can alleviate the anxiety associated with moving sensitive information to the cloud.
Customer, not cloud provider, responsible for cloud compliance
Meeting compliance and regulatory standards falls predominantly into the customer's lap, not the cloud provider's, noted Tom Nolle, president of CIMI Corp. "For considerations like compliance, customers are not going to be finding solutions in the cloud; there's not really a technical solution to compliance."
Just because customers must meet their own cloud compliance standards doesn't mean cloud providers are off the hook, though. Joyent, a cloud provider geared toward the enterprise, offers transparency of its cloud infrastructure to its customers.
"Some customers need to know that they are the only ones on a machine, and the cloud provider must be up front with what type of models they offer in the data center,” said Jason Hoffman, chief technology officer for Joyent. "I think the key on the part of the provider around physical layers and physical constraints is being completely transparent to the customer, so they can reach compliancy. A cloud provider should not stand in the way of compliance, but meeting compliance in the cloud is the responsibility of the [enterprise] that has to meet certain standards."
Cloud providers are responsible for putting in place extra protection mechanisms for data encryption for their customers in a shared environment, but the cloud provider should not necessarily be held accountable for showing up with these solutions, said Amy DeCarlo, principal analyst of security and data center services at Current Analysis.
Customers must come forward with security demands if their industry-specific compliance standards dictate them, she continued. "The cloud provider may offer these solutions, but the customer has to say 'this is our data, this is where this particular segment needs to be,' and it may need to be handled differently than another workload."
More on cloud compliance:
Understanding cloud compliance issues and regulations
Cloud compliance tops enterprise security concern list
How to boost cloud compliance and control
Cloud compliance challenges: Is a multi-tenant environment feasible?
"I haven't seen any [cloud provider] that has been able to deliver an enterprise cloud service that is multi-tenant and can claim a high level of compliance, but it doesn't mean that it's not out there. While I think it's theoretically possible to offer compliance assurance in a multi-tenant cloud environment, it's very difficult," DeCarlo said.
Some enterprises or government organizations -- such as those within the federal government -- want the compliance assurance that comes with data hosted in a single-tenant cloud environment. Or they may seek a service where the other tenant customers are also government agencies, said DeCarlo.
Many cloud providers have announced cloud offerings to specific vertical industries in an attempt to provide compliance assurance in the cloud to financial, healthcare and government organizations.
AT&T has developed several vertically aligned clouds as part of its enterprise-grade cloud business, said Steve Caniano, vice president of hosting, application and cloud services for AT&T Business and Home Solutions. The provider touts several offerings geared toward the health care industry -- including AT&T Medical Imaging and Information Management. "The offering helps providers to store, access, view and share patient medical images and information inside hospital systems and outside with referring physicians and other authorized facilities over a highly secure infrastructure," Caniano explained. The cloud-based offering complies with the Health Insurance Portability and Accountability Act (HIPAA) requirement for the health care industry.
Salesforce.com has also jumped on the vertical cloud bandwagon with its recently announced Government Cloud, a dedicated cloud infrastructure that is compliant with Federal Information Security Management Act (FISMA) requirements. It will be available to all U.S. government agencies this summer.
The underlying infrastructure of these industry-specific clouds can vary by cloud provider. Some cloud environments may be hosted in a multi-tenant infrastructure, while others may be hosted in a dedicated cloud with its own infrastructure stack.
Terremark, a cloud provider that offers enterprise cloud environments, has customers with cloud compliance requirements that are comfortable in multi-tenant environments that span across different vertical industries.
From the perspective of cloud infrastructure, the specific industry is irrelevant, according to Mario Santana, vice president of secure information services for Terremark. "Each sector has their own set of requirements, but at the end of the day a lot of those requirements have a lot in common," he said.
Customers are comfortable sharing a data center with other customers, and sharing the same cloud infrastructure is not that different, Santana said. "We have been able to show to the satisfaction of some customers and their auditors that it is possible to have two different customers in a shared cloud infrastructure while totally disallowing the intermingling of data and communication between those two customers," he noted.
Let us know what you think about the story; email: Gina Narcisi, News Writer.