Compliance and Regulatory Standards for Cloud Computing

Introduction

Cloud computing is the imagination of Leonard Kleinrock (2005) one of the scientist at Advance Research Project Agency. In 1969 he said: “As of now, computer networks are still in their infancy, but as they grow up and become sophisticated, we will probably see the spread of ‘computer utilities’ which, like present electric and telephone utilities, will service individual homes and offices across the country”. This concept remained in dormant stage before 90s, and re-emerged in mid-90s with the effort of companies like HP, IBM, and Amazon, etc. (Armbrust, Armando, Rean, et al., 2009). On demand self service, Elasticity, Measured service, Broad network access and Resource Pooling are the five tenets of the cloud, which are widely accepted including by the cloud security alliance(Cloud Security Alliance, 2009) and in NIST (Mell and Grance, 2009). It is envisaged that services and applications will migrate to cloud from where it will be accessed by users using different type of devices for, e.g. terminal, PDA, Smartphones, etc. A number of vendors exist to provide cloud services and to take the lead in this new paradigm. These service providers are using their own proprietary APIs to enable the smooth communication among users and other cloud providers. However, because of proprietary APIs there is always a concern among the users that they may stick in lock-in at a later stage. As users can access cloud services from disperse locations of the globe, there is a big concern among the users about the security. Despite the trumpet business and technical advantages, numbers of potential cloud users are yet to join, and those who have joined are putting less sensitive data (Chow, 2009).

Control in the cloud is one of the major concerns among various users in adopting the cloud because it requires implementation of regulatory compliance and to ensure privacy of the data maintained. “As enterprises start to run their entire networks on the cloud, existing certifications [such as Gramm-Leach-Bliley, etc.] start to break down” (Lamont, 2009). The certifications assume that the enterprise controls everything, and it's all located within their office building, however the situation is not true with the cloud platforms. Corporate and offshore partnership requires similar enforcement of regulatory compliance. Protection of the enterprise data during storage as well as during transmission becomes important in order to make it consistent with the existing policies. Because of the regulatory compliance, most server resources are dedicated to single operating system and single application, hence, resources are not fully utilized. By means of virtualization, resources utilization can be increased up to 70%, which is very helpful in reducing the hardware cost as well as the power cost (Ruest and Ruest, 2009). Importance of standards and regulatory compliances in cloud computing can be further realized that some of the prominent organizations like ISACA and European Network and Information Security Agency (ENISA) (McHale, 2010) have also expressed the concern on the issue. ENISA (2011) weighing it in 123 pages have identified the most serious risks with impact factor of 7, which is highest and assigned to loss of information, compliance challenge, Risk of change of jurisdiction. Cloud computing requires to be more transparent with the efficient regulatory systems. Then only, the potential of cloud offerings can be fully realized.