Regulated Industry and Cloud Computing. Just A Note.

I’ve had some experience with regulated industry and cloud computing. It’s important to start by defining the issue. I’ve come across a variety of significant concerns from contractual arrangements, trans-national transactions, co-location of virtual machines, placement of data and transparency. There will be plenty of government rules and compliance check-lists that are at logger heads with the inherent set-up of a shared infrastructure or personnel that have not passed a minimum back-ground check.

The prominent cloud providers (e.g. Google, Amazon Web Services) are already making architectural and infrastructure changes. Google has announced its GovCloud SaaS offering with Google hosting that is solely dedicated to US Federal, State and Local Government – bounded within North America. It’s a work in progress.

Federal government agencies are mandated by law (Federal Information Security Management Act) to implement security protection commensurate with risk. The mandate is to develop and maintain minimum controls and to ensure independent testing and evaluation of those controls.

Those public cloud providers (IaaS, PaaS, SaaS) that offer a communal IT model are opening up a new threat profile. More than one organization hosted on the same physical server, saving data in the same storage device and co-mingled traffic passing across the same interconnects and network edge. They will make compliance claims and do not supply policy an security documentation. All will not be hack-proof and the burden of proof of compliance will fall on the system owner.

It may seem blindingly obvious, but there are certain industry segments that fall into the hard, medium and simple category for cloud computing. No export control. Easy. Healthcare is medium/hard depending on the application. Legal council is a stakeholder and advisor.

The classification and sensitivity of data will dictate the acceptance of risk and the choice of a cloud provider. But if we are talking about PII/PHI and high-impact systems then certainly government agencies are going the route of a private cloud model. Now there are ways to create a secure virtual environment. The security must encompass the physical machine and attendants of those machines. Any regulated industry client will (or has) performed their own PII risk assessment (e.g. NIST 800-122). A risk assessment from a regulatory point of view to inform whether it makes sense to move to the cloud is also necessary.

If the contract is inflexible and non-negotiable then one simply has to walk away and look for another cloud provider that is willing to negotiate. And if the cloud provider claims to be more secure than a regular old data-center – then it should be OK for them to prove it to the customers satisfaction.