Addressing compliance issues in the cloud
FedRAMP boosts cloud compliance
Addressing compliance issues before the cloud was a little like coaching a backyard football game. You knew how to move players around, and for the most part, you were on an equal playing field with the competition — those trying to get into your end of the field. Handling compliance in the cloud era, however, is a little like being a coach in an NFL game: You might know the game and how it works, but you’ve got a whole new playbook to learn, and there’s a good chance one of your players — or in this case your data — is going to get creamed at any time.
There are several key compliance issues when working in the cloud. In an on-premises implementation, the IT department is charged with records management, including retention, archiving and retrieval of your data, as well as making sure that it is stored securely so only certain people can gain access to it. However, when your data is stored in the cloud, record-retention policies might not be as stringent as what is required for an agency. In addition, when data is stored on a shared server, there’s always the risk — albeit a very small one — that data might fall into the wrong hands. Finally, if there is an audit or lawsuit, getting data out of the cloud can take longer than needed. And then there’s the residency issue. When data is stored in an agency-owned data center, it resides in the United States. However, as cloud providers go global, data might go global, too.
It’s a sad fact, according to research firm Gartner’s “Hype Cycle for Cloud Computing, 2012*,” that “one of the most commonly expressed cloud buyer frustrations is the lack of a ‘checklist’ of items that need to be addressed when assessing a service provider's relative ability to maintain information confidentiality, integrity and service reliability, in addition to the likelihood a provider can restore data and service after a disaster or data loss.”
Compliance gets a boost with FedRAMP
One of the ways to mitigate compliance issues — aside from installing a private cloud — is creating or purchasing services in a community cloud, which is provisioned for a specific group of like-minded organizations. Because these groups have similar security and compliance concerns, the cloud service can be developed to meet the needs of the group.
The Federal Risk and Authorization Management Program (FedRAMP), which was established in December 2011, also helps with compliance issues. Executive agencies are required to use FedRAMP for security authorizations and risk assessments, and the policy “ensures that compliance requirements are built into applicable contracts,” according to Deltek, a provider of software, services and research. However, because existing agencies have 30 months to migrate to FedRAMP, many of these processes will continue to be manual. And no one, says David Hill, principal at research firm Mesabi Group, should simply trust that their cloud provider will do the work for them. “You can delegate, but you can’t abrogate,” he says. “If something goes wrong, you’re still responsible.” That’s not to say that cloud providers aren’t doing an excellent job, he says, but you still need to be careful.
Overall, though, experts agree that cloud providers are doing a good job of helping customers meet compliance targets. In fact, there are some agencies and enterprises that are adopting cloud computing because the cloud providers they have selected have better compliance practices than their own IT departments. “When you recognize as an IT organization that you’re struggling to maintain compliance in certain applications, it becomes a breath of fresh air when you can offload your data onto the cloud and breathe easier,” says Mark Bowker, a senior analyst at research firm Enterprise Strategy Group.
* Gartner, Inc., Hype Cycle for Cloud Computing, 2012, David Mitchell Smith, August 1, 2012. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.