The move to the cloud, as we are all aware, is not without its issues. Indeed, two of the top concerns for IT professionals contemplating the move of mission critical information to the cloud revolves around the cloud’s ability to provide not just security but compliance and associated monitoring and tracking for such things as HIPPA and PCI, and network resiliency. The latter is a principle concern that has gained prominence as a result of Hurricane Sandy and other top of mind concerns regarding disaster recovery and business continuity.

Recently, I had the opportunity to discuss both of these important challenges with Oren Hamami, director of security strategy, SunGard Availability Services, who filled me in on best practices and recommendations in both areas. 


image via shutterstock

Compliance matters

Hamami was blunt in his take on what you need to think about if you are using the cloud for compliance. “You need to know what type of provider you are using. You then need to address the data issue about where it is stored, who has access, etc. For example, for security reasons and making sure enterprises are abiding by government mandates, SunGard never moves your data out of jurisdictions without permission,” he stated. Plus, he added, “Visibility is important. This means knowing what service is being provided, where and by whom. It means making sure provider is being open and transparent about options and contractual obligations. Increasingly, it is also about even authenticating the citizenship of those who have access.”

Hamami has seven great tips regarding factors to consider when moving to the cloud and staying compliant:

1. Conduct a cloud risk assessment. Consider what data will be moved; how and by whom it will be accessed; and whether the specific cloud solution will provide sufficient protections to meet your security and compliance requirements.
2. Consider using a “private” or “hybrid” cloud solution.  Rather than move all data to a public cloud provider, consider private clouds, which aren’t shared with other customers, or hybrid clouds that allow retention and control over critical data while leveraging a cloud provider for less sensitive functions.
3. Understand exactly what you are – and aren’t – getting.  Not all cloud services are creating equal, particularly when it comes to security and liability. Unless your provider states otherwise, assume any requirement, such as encryption or data backup, remains your responsibility.
4. Ensure your cloud vendor complies with the regulations. For example, The Department of Health and Human Services on Jan. 25, 2013, published new rules that significantly expand the definition and responsibilities of business associates and subject them to civil and criminal penalties. Be wary of cloud providers who insist they are not business associates under the new rules. You do not want to suffer the consequences down the road.
5. Know where your data is today – and where it will be tomorrow. Consider not only where your cloud provider is hosting your data, but also what happens to it when you exit the service.
6. Consider the so-called cloud security “donut hole.” Your cloud provider may only attest to the security of its physical infrastructure, excluding the shared virtualization systems that support the cloud service. This leaves the so-called “donut hole” between the host’s coverage and the point where you are responsible. Select a provider who closes this gap.
7. Determine what the cloud provider will and won’t sign. Again, HIPAA compliance is a good example. Will the vendor attest to what protections the healthcare provider has in place and its responsibilities? If not, can it provide a third-party audit report attesting the healthcare provider possesses such security protections?

As Hamami explained, at the end of the day the move to the cloud is about having a trusted relationship with your provider where responsibilities and accountabilities are well-defined and understood, and where it is very clear that compliance activities will meet the letter of the law. This is particularly true since the penalties for lack of compliance are steep, and the monetary damages can be multiplied because of the damage to your brand should your company be found to not being doing things lawfully.

Cloud Resiliency: There when you need it most

Hamami spoke on the subject of resiliency brought home one of the key benefits of the cloud by saying, “When disaster strikes, whether it be because of malicious cyber attacks like the growing use of Distributed Denial of Service (DDoS) ones that have been aimed increasingly at financial institutions, media companies and large retailers, or those caused by mother nature, you need to be able to have business continuity. This means little or no downtime, fast meantime to restoration, and a lack of possible corruption of your valuable digital assets.” He continued, “Because it is a hosted environment, the cloud needs to be used judiciously since increased accessibility means increased potential vulnerability, but not have to build a costly mirror site, and have multiple points of replication and fast response times for restoration can be invaluable.” 

In fact, Hamami did not need to point out how much even an outage of an hour or two can cost. Think about the fact for instance that the recent outage at Google took out 40 percent of the Internet traffic while the company sought to bring everything back to normal. 

Hamami explained why the two big things IT professionals are seeking when looking at cloud resiliency center around natural disasters or DDoS. “The cloud gives you the equivalent of always on versions of your infrastructure, and that is of critical importance.” In fact, he noted that SunGard’s warm site service, where mission critical data is replicated in VM form at SunGard is one of their fastest growing services. Another hot service area is cloud vaulting/archiving. This is where data that does not need to be restored as quickly as hot site or warm site is stored.  

The reasons why such services are popular for disaster recovery and business continuity are obvious. In terms of DDoS attacks, where the bad guys are typically trying to overrun your servers with requests and have become sophisticated enough to do so not just from a PC but leveraging the cloud themselves, this involves redirecting legitimate traffic to capabilities that have not been compromised. While no solution is perfect, this is not unlike a complex shell game where attackers need to continuously look for the area that is most vulnerable rather than giving them one successful bite of the apple.

Resiliency/business continuity is not merely about technology. It is about having a strategy in place and leveraging technology so that all of an enterprise’s assets, people as well as technology work well in a crisis. It is for this reason that the cloud needs to be given serious consideration in the development of a resiliency strategy even if an enterprise is not ready to move it main operational capabilities to the cloud.

Hamami summed it up well. “When it comes to both compliance and resiliency, customer should know what they need, and what they are getting. Our job is to assure our cloud is being built and run securely and that you as customer are getting exactly what you are getting and exactly what you want,” he said. In short, the cloud just might be the silver lining to answer to your compliance and business continuity challenges, but you need to know who you are dealing with and have open and transparent dealings.