Compliance and Regulatory Standards for Cloud Computing

Compliance and Regulatory Standards for Cloud Computing

Jitendra Singh (JJT University, India) and Vikas Kumar (Asia-Pacific Institute of Management, India)
DOI: 10.4018/978-1-4666-4209-6.ch006


Cloud computing is expanding in reach, with its utility-based features and enhanced agility. Still, there is a big concern about the privacy and security of the data. Because of these concerns, third-party cloud users are employing the cloud only for less sensitive data, and the advantage of cloud computing is not fully harnessed. In order to ensure the privacy and security of data, proper compliance and regulatory standards become very important for the cloud domain. Although a number of such standards exist for the traditional computing, they must be modified for their wider adoption to the cloud platforms. This chapter considers the worldwide available standards in the technical and non-technical categories for wider coverage of the cloud platforms. In the technical category, security standards presently followed by cloud computing have been discussed, while in the non-technical category, privacy and accounting standards like HIPPA, SAS 70, GAPP, etc. have been considered.
Chapter Preview


Cloud computing is the imagination of Leonard Kleinrock (2005) one of the scientist at Advance Research Project Agency. In 1969 he said: “As of now, computer networks are still in their infancy, but as they grow up and become sophisticated, we will probably see the spread of ‘computer utilities’ which, like present electric and telephone utilities, will service individual homes and offices across the country”. This concept remained in dormant stage before 90s, and re-emerged in mid-90s with the effort of companies like HP, IBM, and Amazon, etc. (Armbrust, Armando, Rean, et al., 2009). On demand self service, Elasticity, Measured service, Broad network access and Resource Pooling are the five tenets of the cloud, which are widely accepted including by the cloud security alliance(Cloud Security Alliance, 2009) and in NIST (Mell and Grance, 2009). It is envisaged that services and applications will migrate to cloud from where it will be accessed by users using different type of devices for, e.g. terminal, PDA, Smartphones, etc. A number of vendors exist to provide cloud services and to take the lead in this new paradigm. These service providers are using their own proprietary APIs to enable the smooth communication among users and other cloud providers. However, because of proprietary APIs there is always a concern among the users that they may stick in lock-in at a later stage. As users can access cloud services from disperse locations of the globe, there is a big concern among the users about the security. Despite the trumpet business and technical advantages, numbers of potential cloud users are yet to join, and those who have joined are putting less sensitive data (Chow, 2009).

Control in the cloud is one of the major concerns among various users in adopting the cloud because it requires implementation of regulatory compliance and to ensure privacy of the data maintained. “As enterprises start to run their entire networks on the cloud, existing certifications [such as Gramm-Leach-Bliley, etc.] start to break down” (Lamont, 2009). The certifications assume that the enterprise controls everything, and it's all located within their office building, however the situation is not true with the cloud platforms. Corporate and offshore partnership requires similar enforcement of regulatory compliance. Protection of the enterprise data during storage as well as during transmission becomes important in order to make it consistent with the existing policies. Because of the regulatory compliance, most server resources are dedicated to single operating system and single application, hence, resources are not fully utilized. By means of virtualization, resources utilization can be increased up to 70%, which is very helpful in reducing the hardware cost as well as the power cost (Ruest and Ruest, 2009). Importance of standards and regulatory compliances in cloud computing can be further realized that some of the prominent organizations like ISACA and European Network and Information Security Agency (ENISA) (McHale, 2010) have also expressed the concern on the issue. ENISA (2011) weighing it in 123 pages have identified the most serious risks with impact factor of 7, which is highest and assigned to loss of information, compliance challenge, Risk of change of jurisdiction. Cloud computing requires to be more transparent with the efficient regulatory systems. Then only, the potential of cloud offerings can be fully realized.

Complete Chapter List

Search this Book: