Managing Security and Compliance in the Cloud
For many IT departments, ensuring that customer data is secure and in regulatory compliance rarely happens due to the consumerization of IT.
By Michael Vizard
IT organizations frequently find themselves between a rock and a hard place when it comes to compliance issues in the age of cloud computing. There are numerous regulations that, in many instances, make putting data in the cloud problematic. While not every regulation is specific, the spirit of the regulation, if not the letter of the requirement, holds the company accountable for maintaining control over customer data.
Of course, the appropriate control of customer data rarely happens in an era defined by the consumerization of IT. Employees don’t think through the ramifications of putting corporate data on their personal devices or in cloud services that are not managed by the IT organization. In fact, many end users would argue, in the name of productivity, it’s become an absolute necessity to do so. Trying to restrain that employee behavior often puts the IT organization in the untenable position of trying to enforce polices that may not officially exist or come with formal sanctions attached.
“When it comes to the cloud there’s a lot of potential to get in trouble,’ says Larry Miller, director of IT and e-commerce for MainGate, which builds and manages Websites on behalf of sport teams, associations and other businesses.
And just to make matters potentially worse, even in cases where there might be legal sanctions, the fines for violating compliance requirements are rarely levied or are so minimal that they are considered just another cost of conducting business.
“In a lot of cases the fines just aren’t high enough,” says Mike Ellsworth, IT program manager for CareerOneStop, a federally funded job placement site for the state of Minnesota.
Outside of the government, health-care and retail sectors, compliance requirements are subject to a lot of subjective interpretation. And even in the government, health-care and retail sectors there is not much compliance clarity about how it applies to use cases involving mobile and cloud computing.
A recent survey of 798 IT professionals conducted by the Ponemon Institute on behalf of WatchDox, a provider of enterprise-class mobile computing applications, found that more than 80 percent of IT professionals do not know how much of their organization’s regulated data is being stored on mobile computing devices or in the cloud.
The core issue, says Larry Ponemon, president of the Ponemon Institute, is that even if IT discovered that regulated data is residing outside the enterprise, it’s not clear IT is inclined to act on it. Not only would doing so make the IT organization even more unpopular with end users, the IT organization doesn’t have the time, skills or resources needed to track every violation.
The Ponemon survey found that most organizations have weak controls in place. Seventy-three percent of the IT professionals surveyed said they are relying on manual policies rather than automated management applications. “In a lot of cases the IT organizations are taking an ignorance-is-bliss approach to the problem,” says Ponemon.
“A lot of compliance people are not all that technical,” adds Ryan Kalember, chief product officer for WatchDox. “They tend to declare victory right after a policy is written down.”
Of course, it’s not immediately clear just how pressing the issue of compliance in the cloud may be.
While everyone would agree the current situation is not an ideal, most organizations are trying to meet the letter of regulation requirements that are often ambiguous. The reason for this, says Amy Roland, an attorney with Waller, a law firm that specializes in compliance issues, is that the IT innovation moves much faster than regulatory bodies can keep up with. Nevertheless, Roland strongly advises organizations to move to cloud only after sufficient deliberation.
“This is not some decision that should be made willy-nilly basis,” says Roland. “Moving to the cloud needs to be vetted and done after some very careful consideration.”
On the plus side, government spying scandals and the theft of intellectual property by state-sponsored agencies is forcing business and IT executives to think a lot more about compliance and security. The downside is that the need to securely share data using mobile devices is putting a lot of focus on the shortcomings of enterprise IT.