The use of the Cloud for financial data is not currently a realistic option. It is fine for simple websites, but not for any application which is subject to regulation. It may seem churlish to dismiss a technology out of hand, but there have been many occasions when a technology has been presumed to be safe and secure until events and human ingenuity have proven otherwise. Companies have little choice but to assume the worst, now that they're in the grip of an ever-tightening regulatory framework. These regulations are not just Government-initiated, such as DPA or Sarbanes-Oxley, but come from banks, international agencies and payment-card providers.
Companies that store sensitive personal information are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. They are still obliged to ensure that data was correctly and legally held. The Cloud makes this a great deal more difficult. They must make sure that there is adequate segregation of data, encryption and resilience from disaster. They must also put in place a number of different types of 'control' over the selection, access and supervision of privileged administrators who manage the data, even if it is outsourced.
Service Providers have to be checked for regulatory compliance, and scrutinized by independent audits and security certifications. Application security has to be checked every time a software change is made or service pack is installed, so the 'cloud' provider would need to inform the customer about every such change, so the customer can perform basic security-management.
The whole issue of compliance is complicated by the fact that it is generally unclear where the data is, so it's hard to know which legal jurisdictions apply, including the local laws for data protection, privacy and retention. This may seem fussy, but companies don't just have to worry about cyber-criminals getting hold of data, but also various governments: anti-terrorism legislation varies widely from country to country: For example, whereas the EU generally insists on strict protection of privacy, the US Patriot Act gives powers to government agencies to access company information held in the cloud within US jurisdiction, despite the 'US Safe Harbor Privacy Principles'.
Financial databases are designed like fortresses nowadays. It is difficult to predict the nature of the attack, so a number of independent systems must monitor attempts at intrusion, and audit all access. It is difficult to provide this in a multi-tenancy service where the Cloud application is decoupled from specific hardware resources, where logging is shared, and where data could be held anywhere. Even simple exception-monitoring systems aren't that straightforward.
There have been several concerted attempts to solve some of these security and monitoring issues, such as IBM, SAP and Cisco's 'Open Cloud Manifesto' and some individual initiatives are taking place.
In the meantime, Cloud service providers are insisting that they are steeped in the 'culture of security' advocated by OECD Guidelines for the Security of Information Systems and Networks. The SAS70 auditing standard has been adopted by most of the Cloud service providers, and some are getting their services certified to the US Government's Federal Information Security Management Act (FISMA) standards. There is also a move to getting ISO27001 accreditation so as to facilitate independent audit.
Nevertheless, there will have to be further compromises between the pioneers of The Cloud and the regulators, before companies feel safe in entrusting their data to such an abstract service, seemingly 'remote from sand and iron'. And I still haven't found a Cloud provider who can tell me about failed attempts to access my data.
Phil Factor (Guest Editor)