Auditable Cloud Services and Compliance

Featured on Wired Insights on November 28, 2012

Cloud computing is a trend towards the industrialization of IT, but this industrialization of IT services also has significant impact on the influence the consumer has on the services. Contracts are standard and cannot be tuned to meet consumers’ wishes, “what you see is what you get.” But IT still needs to govern regulatory compliance, so how does this work with cloud services?

Cloud in the Financial Sector

I will illustrate this using the regulatory organization from my home country The Netherlands (aka Holland). Recently I was a panelist for a discussion on cloud computing in the financial sector at the national outsourcing congress where I represented the cloud providers. On the panel with me were a representative of consumers, an lawyer and a representative of DNB (De Nederlandse Bank), a public limited company responsible for safeguarding financial stability.

During the panel discussion DNB underlined its statement in its newsletter cloud computing: the risks and how they are supervised that cloud computing is regarded as a form of outsourcing, covering the same requirements with two in particular:

  1. Who has access to the data, where it is physically stored and is it contractually specified that no data is left with the provider once the contract ends or is terminated.
  2. DNB must be granted the ‘right to audit’. Outsourcing, including in the form of cloud computing, may not prevent DNB from carrying out its supervisory duties.

Data access, location and erasing

Data access and location are quite well known subjects and not really a debate anymore, most cloud providers mandate the consumer to select the location of the cloud service during the request. Erasing of the data however is still an interesting one, can the cloud provider guarantee that the data is erased securely once the service contract is terminated? Or an even more granular question, when a single service within a contract is terminated?

The ‘right-to-audit’ cloud services

This is the most interesting question; will cloud service providers allow the ‘right-to-audit’ to the cloudy bit of the cloud service? With the coming of cloud computing a trend has emerged that cloud services are audited for industry standard certifications pro-actively, where in traditional outsourcing the consumer had to request an audit. This is a good trend because it forces cloud services to actively adhere to industry standards, adding to the service quality.

But does this mean that there is no longer a need for the ‘right-to-audit’? No I say, for these reasons:

  1. Industry certifications are always limited in scope, they might not audit what you need auditing. For instance, ISO/IEC 270001 focuses on security management documentation and processes, but noting on data erasing after service termination.
  2. Industry certifications are periodical and retrospective. Compliance to SAS 70, superseded by SSAE 16, only needs to be audited once of less a year.

What’s to expect next

Perhaps the future will bring an end-to-end scoped industry certification and continuos, fully automated auditing mechanisms that guarantee ‘real-time’ compliance.

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s