Software Design for Passing Sarbanes-Oxley in Cloud Computing

Introduction

Cloud computing has promised to allow not only individuals but also groups of people to access large computing power on demand. Arguably the largest sector needing large computing power on demand in the United States (US) is the corporation. In light of this, it is important to analyze the feasibility of corporations to actually take advantage of the ever growing area of cloud computing (Armbrust et al., 2009). Research in specific use cases in which companies can use cloud computing have been shown in various approaches (Google App Engine, Windows Azure, Amazon EC2) but what has not been addressed to the same extent are the legal issues that cloud computing will face as corporations begin to assess the opportunities that this platform can provide.

The issue of legality as it pertains to cloud computing has been addressed by some (Bowen, 2011), (Jansen & Grance, 2011) but, as will be shown, the need to address legal concerns on a case by case basis uncovers the complexity and challenges that are hidden when only a general outlook is taken. It is our belief that legal concerns will play a major role in the adoption of cloud computing, just as security has been for this new paradigm. This belief comes from two points - that cloud computing can provide major improvements to corporations in terms of return on investment (ROI), reduction to barrier of entry, reduction in task completion times, etc., and as a consequence will need find innovating method remain compliant on all legal regulation. If the legal issues are not addressed corporations will be a large missed market which will not be able, or legally not allowed to use this technology.

The legal issues of cloud computing will impact many individuals within a corporation, but two of the most notable personnel which will have to address them will be the system architect and the software engineer. For the system architect the flow of data will determine the complexity of creating new applications using cloud computing and the integration with other applications. The software engineers will have to program with the constraints of legal issues (SOX in the case of this chapter) in mind in order to deliver a complete solution. In this chapter there will be three use cases that will demonstrate the complexity and limitations that regulations will impose upon the widespread adoption of cloud computing in the corporate environment.

The goal of this chapter is to highlight challenges software engineers will face in the corporate environment when creating software which leverages cloud resources. In order to adequately explain the challenges which arise from SOX related work, SOX analysis, current methods of complying with SOX and use cases are provided.

The related work section includes literature that has explored the effects of legal issues on cloud computing. This section will also serve to show how viewing of legal issues at a distance in software engineering is a stepping stone towards our work. The aim is to show the void of specific legal analysis for cloud computing. In doing so we show why specific legal analysis (in the case of SOX) can be useful for software engineers to account and program with legal concerns in mind. In addition, an overview of SOX is provided to provide a background on the issues which can arise when complying with the act. We will also introduce a technology-agnostic framework to aid in compliance with SOX. A section explaining the inherent problems cloud computing will face due to SOX is provided. This section serves to show that issues which are inevitable in a cloud environment and must be taken into account by software engineers. The use case section is provided to show how to identify SOX issues and design software taking those issues into account.