If you spend any time eavesdropping on your CIO’s conversations these days,you’re likely to hear him or her talk about “virtualization.” As technology goes, virtualization is a nifty idea: software programs out on the Internet somewhere serving the same function as hardware typically housed in your company’s data center. It travels under multiple names—cloud computing, software-as-a-service, or utility computing, to name a few—but essentially the idea is to cut costs and improve data management by letting a vendor handle the maintenance.
We can leave CIOs to separate the hype from the real value in cloud computing, and that will take some time. Compliance officers, meanwhile, should educate themselves on exactly what cloud computing would mean for their organization and maintaining an effective control environment—because it can pose quite a few new questions for you. Let’s first explore what’s behind the drive for these services. Businesses increasingly want to leverage scalable technology in cost efficient ways; the ability to scale and provision computing power dynamically is one powerful lure for these services. Second, today’s younger, mobile workforce and customers expect and want constant connectivity to the online world. In fact, the demand for these services can be measured by the vendors who have entered the market lately: IBM, Microsoft, Amazon.com, Google, Oracle, SAP and more.
This isn’t a fad, clearly. Many people expect cloud computing to be a powerful force for years to come. So what is a “cloud,” exactly? Industry experts debate the precise definition, and therein lies one of the real challenges with the technology. We can say cloud computing is really a culmination of many technologies that have developed for more than a decade. The cloud architecture can be private (hosted within a company’s firewall) or public (hosted on the internet). There does not, however, appear to be a common taxonomy for cloud computing. Most attempts to develop standards for it have been met with concerns that have prevented a consistent application of offerings. Attempts at an “Open Cloud Manifesto” or a “Cloud Bill of Rights” have been met with skepticism over the intent and feasibility of standards when the technology of cloud computing is still so immature. (I’ll explore these core challenges later.)
Additionally, the regulatory environment for protecting and securing confidential data is complex and requires a comprehensive compliance program. Pinning that comprehensive program to a cloud, so to speak, is neither easy nor repeatable from one company to another. Above all, however, understand that cloud computing—regardless of its specific name or design—is the outsourcing of potentially critical applications or data. Outsourcing does not mean that compliance can be delegated to the vendor. Management is responsible for selecting and developing controls that ensure that the vendor(s) chosen has appropriate controls in place and will be monitored on a continuous basis. Compliance professionals and senior management must know and assess the cloud provider, and oversee the provider’s controls using techniques that maintain compliance with the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, various state data privacy regulations, and in some cases country-specific regulatory limitations. Yes, given the concerns raised by business customers and the ever-changing regulatory scene, some cloud vendors have begun to promote cloud-compliant services.
All I can say is: Let the buyer beware! Companies should always perform their own due diligence on cloud providers, and develop comprehensive service level agreements that document who is responsible for what and how these services will be provided. Sarbanes-Oxley requires a standard framework for evaluating internal controls. Typically, a COSO framework is used to assess internal controls, however, regulators haven’t provided much guidance nor has the industry agreed on consistent application standards complicating the development and implementation of a common set of controls.
Therefore, compliance pros must develop a defendable set of criteria for assessing the controls of cloud providers. Following is a starting point for developing a matrix of controls to consider as part of your cloud control toolset. Security. Unauthorized access to sensitive business and customer data leaves organizations exposed to financial and regulatory risks. Assessing and monitoring storage capacity, location, and physical as well as application access is a critical first step in assessing the control environment of cloud providers. Data Segregation. Data segregation should be understood. Does your data share a “virtual locker” with other customers? How does the vendor prevent unauthorized access from other customers? Records Management. Are records retention and records destruction standards consistent with your industry? Does your cloud vendor know this, and know what those standards are? Are there multiple backups of your data in multiple locations? Vulnerability Scanning. Are network or vulnerability scans allowed? Are there formalized protocols in place to perform scans? What limitations (if any) exist? And how are vulnerabilities disclosed to you, the customer, and then mitigated? Audit Trails.
How can the company demonstrate the effectiveness of its controls for authorization, authentication, segregation of duties, program development and program changes? (Because in the event of a regulatory probe or litigation, you can bet that other parties will expect that you’re able to do so.) How robust are the cloud provider’s controls such as firewalls, encryption, monitoring reports, and denial-of-service software? Interoperability and Portability. Few standards exist yet to assess different cloud providers’ interoperability of services and portability of data, but such compatibility is critical if a company needs to recall the data or move the data from one vendor to another. Performing this analysis in advance will save you money and business disruptions down the road. Seeking Help If you still are uncomfortable with your own assessment, you can rely on a few industry standards to help ease your fears.
First consider a SAS 70 SysTrust audit, which evaluates whether or not a specific system is reliable when measured against four essential principles: availability, security, integrity, and maintainability. Additionally, ask whether the provider complies with the ISO 27001 or ISO 27002 standards, which govern information security. ISO standards aren’t formal assurance, but they do imply that the vendor uses a formal method of practice and a summary of controls that may be evaluated as part of the due diligence process. Outsourcing to a cloud computing vendor is a business decision with far-ranging implications, not the least of which is compliance with Sarbanes-Oxley and Gramm-Leach-Bliley regulations. Businesses should consider all of the risks and rewards to pursuing this path.
Cloud computing is continuing to grow and expand as the dynamics of business drive companies to reconsider the cost of maintaining in-house data centers. Compliance professionals should be included in the evaluation of this critical business decision, to ensure the strategic plan includes no surprises down the road. Responsibility for compliance can not be delegated to the vendor. If you decide that outsourcing to a cloud vendor gives your business the operational benefits you need, developing the internal controls between your firm and the cloud provider is still largely your job and your problem. SOX holds management responsible for ensuring and assessing that their internal controls are adequate and effective, even when those controls reach into the clouds.