- A TechNote on The Next Generation
- Jim Metzler
- Distinguished Research Fellow and Co-Founder
- Webtorials Analyst Division
Many IT organizations have begun to use public cloud computing solutions, a trend that is expected to increase over the next few years. The primary factors driving the adoption of cloud computing are lower cost and greater IT agility. However, there's an outstanding question that could slow the move to cloud computing: does it make regulatory compliance harder?
A large part of the challenge associated with security in general, and regulatory compliance in particular, is the changing nature of security hacks. Until recently most such attacks were originated by individual hackers whose primary goal was personal notoriety. One well-known example is Kevin Mitnick, who served five years in prison in the late 1990s for computer- and communications-related hacking crimes.
Security Attacks Get More Sophisticated
However, over the last few years a new class of hacker has emerged, characterized by organized crime and rogue nations whose motivation is to make money or to cause significant harm to an organization for political or ideological reasons. This class includes ideologically motivated "hacktivist" groups such as Anonymous.
Members of this new class of hacker are generally much more sophisticated than their predecessors. For example, while the Kevin Mitnicks of the world relied on techniques such as dumpster diving to hijack information, today's hackers often have whole R&D facilities at their disposal.
Not surprisingly, the more sophisticated the attackers, the more sophisticated the attacks. This is reflected, for example, in the sheer scale of the attacks. As recently as a decade ago, the peak rate of distributed denial-of-service (DDoS) attacks was roughly 500Mbps. Today it's more than 50Gbps - a hundred-fold increase in just 10 years. Another example is the growing number of attacks based on SQL injection, where malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.
Such advances in security hacking naturally have implications for cloud services. One is that various vertical-market organizations are subject to compliance regulations specific to their industry or situation, whether it's Sarbanes-Oxley for public companies, Gramm-Leach-Bliley for financial institutions, Payment Card Industry Data Security Standards (PCI DSS) for retailers or the Health Insurance Portability and Accountability Act (HIPAA) for healthcare organizations.
The Impact of Regulations
Companies are subject to myriad regulations, from both governments and industry organizations. PCI DSS, for example, which applies to merchants who accept credit cards, mandates that IT organizations implement Web and application security to minimize risks from security vulnerabilities such as SQL injection.
Section 6 of the PCI DSS requirements specifically calls for merchants and credit card issuers to develop and maintain secure systems and applications. One of its goals is to ensure that Web applications that are exposed to the public Internet be protected against at least a minimum set of vulnerabilities. Section 6 identifies two approaches by which IT organizations can satisfy the PCI DSS requirements: a Web application firewall or application code reviews performed whenever changes are made to the code (or annually, if no changes have been made).
A Hypothetical Example
So does the adoption of cloud computing make regulatory compliance harder? It depends. Consider, for example, a hypothetical company, "Big Merchant," which is subject to PCI DSS compliance. As part of its claims-processing function, Big Merchant wants to use an application from a software-as-a-service (SaaS) provider. To use this application, Big Merchant would have to do a thorough assessment of potential SaaS providers to ensure that its chosen provider could not only satisfy the PCI DSS requirements, but could - and would - keep up with changes in those requirements.
One could argue that, because such an assessment can be cumbersome, the adoption of cloud computing does indeed make regulatory compliance harder. However, the counter-argument is that, if Big Merchant doesn't use a SaaS offering, but offers the functionality internally, it is still subject to PCI DSS mandates. As such, on a regular basis Big Merchant would have to demonstrate its compliance with PCI DSS.
The bottom line: for companies with technologically sophisticated IT organizations, it might well be easier to provide the application internally than to use a SaaS provider. However, any company with a somewhat less sophisticated IT operation might be better off using a SaaS provider - as long as the company has a sufficient level of sophistication to assess and manage that provider.
A large part of the challenge associated with security in general, and regulatory compliance in particular, is the changing nature of security hacks. Until recently most such attacks were originated by individual hackers whose primary goal was personal notoriety. One well-known example is Kevin Mitnick, who served five years in prison in the late 1990s for computer- and communications-related hacking crimes.
Security Attacks Get More Sophisticated
However, over the last few years a new class of hacker has emerged, characterized by organized crime and rogue nations whose motivation is to make money or to cause significant harm to an organization for political or ideological reasons. This class includes ideologically motivated "hacktivist" groups such as Anonymous.
Members of this new class of hacker are generally much more sophisticated than their predecessors. For example, while the Kevin Mitnicks of the world relied on techniques such as dumpster diving to hijack information, today's hackers often have whole R&D facilities at their disposal.
Not surprisingly, the more sophisticated the attackers, the more sophisticated the attacks. This is reflected, for example, in the sheer scale of the attacks. As recently as a decade ago, the peak rate of distributed denial-of-service (DDoS) attacks was roughly 500Mbps. Today it's more than 50Gbps - a hundred-fold increase in just 10 years. Another example is the growing number of attacks based on SQL injection, where malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.
Such advances in security hacking naturally have implications for cloud services. One is that various vertical-market organizations are subject to compliance regulations specific to their industry or situation, whether it's Sarbanes-Oxley for public companies, Gramm-Leach-Bliley for financial institutions, Payment Card Industry Data Security Standards (PCI DSS) for retailers or the Health Insurance Portability and Accountability Act (HIPAA) for healthcare organizations.
The Impact of Regulations
Companies are subject to myriad regulations, from both governments and industry organizations. PCI DSS, for example, which applies to merchants who accept credit cards, mandates that IT organizations implement Web and application security to minimize risks from security vulnerabilities such as SQL injection.
Section 6 of the PCI DSS requirements specifically calls for merchants and credit card issuers to develop and maintain secure systems and applications. One of its goals is to ensure that Web applications that are exposed to the public Internet be protected against at least a minimum set of vulnerabilities. Section 6 identifies two approaches by which IT organizations can satisfy the PCI DSS requirements: a Web application firewall or application code reviews performed whenever changes are made to the code (or annually, if no changes have been made).
A Hypothetical Example
So does the adoption of cloud computing make regulatory compliance harder? It depends. Consider, for example, a hypothetical company, "Big Merchant," which is subject to PCI DSS compliance. As part of its claims-processing function, Big Merchant wants to use an application from a software-as-a-service (SaaS) provider. To use this application, Big Merchant would have to do a thorough assessment of potential SaaS providers to ensure that its chosen provider could not only satisfy the PCI DSS requirements, but could - and would - keep up with changes in those requirements.
One could argue that, because such an assessment can be cumbersome, the adoption of cloud computing does indeed make regulatory compliance harder. However, the counter-argument is that, if Big Merchant doesn't use a SaaS offering, but offers the functionality internally, it is still subject to PCI DSS mandates. As such, on a regular basis Big Merchant would have to demonstrate its compliance with PCI DSS.
The bottom line: for companies with technologically sophisticated IT organizations, it might well be easier to provide the application internally than to use a SaaS provider. However, any company with a somewhat less sophisticated IT operation might be better off using a SaaS provider - as long as the company has a sufficient level of sophistication to assess and manage that provider.
Jim, enjoyed your article regarding cloud computing. Couple of comments: One, I agree that the internet has some security issues and since the cloud utilizes the internet coupled with applications infrastructure and support, users should be aware of the potential for new threats and increased risk exposure. It is important to include your firm’s risk tolerance in any decision to move to cloud computing, as not all the security issues are understood, and new ones will arise. .
Second, It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company. If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations.
Cheers