Government tech types intrigued by cloud computing – there aren’t a lot of you, but you know who you are – may wish to reflect on yet another problematic point: Compliance.

 

As Sara Peters of Information Week noted recently, “thorough logs are the key to proving compliance with security regulations.”

 

“So how,” she wonders, “do you prove your organization is/was compliant when you aren’t able to maintain logs?”

 

Peters uses a definition of oft-defined cloud computing worked up by Michael Crandell of RightScale. It’s “…the notion of providing easily accessible compute and storage resources on a pay-as-you-go, on-demand basis, from a virtually infinite infrastructure managed by someone else. As a customer, you don’t know where the resources are, and for the most part, you don’t care. What’s really important is the capability to access your application anywhere, move it freely and easily, and inexpensively add resources for instant scalability.”

 

Right; elegantly phrased. Peters riffs on this in language that is particularly pertinent for public sector folk:

“The parts of this definition that unnerve me are ‘managed by someone else’ and ‘you don’t know where the resources are.” I’ve not yet investigated any of the usage agreements or discussed this with the companies that offer cloud services, but my guess is that organizations have neither the authority nor the ability to establish log settings, maintain logs, or view logs of any activity conducted on that ‘virtually infinite infrastructure.’

“This is particularly worrisome if you are (and I really hope you aren’t) using cloud computing services for storing sensitive/protected data. Wouldn’t you like to know whom else’s data is stored on the same server as yours? Wouldn’t you like to know when, by whom, and where to your data is copied? Wouldn’t you like to know (in the quite likely instance that the cloud data centre is employing the use of server virtualization) when the server VM holding your data is migrated to some other server? Wouldn’t you like to know that all of these things were done securely? I doubt many organizations are using cloud computing in this way, yet, but it’s worth making note of when revamping your risk model for 2009.”

She’s got more, but the point is clear if arguably unoriginal. Be careful with the cloud.

 

Tags: Cloud computing, Compliance, Information Week