Governance

What is Cloud Governance?

Cloud computing needs processes, policies, and procedures. In a way, this is no different from IT across the board. But the concept of “governance” means different things to different people—and in fact, even the word itself is open to debate. However, no matter how you slice it, the consensus is that governance will play a crucial role in the ascension of cloud computing, and that cloud computing can complement governance existing processes.

SLAs: In cloud computing, providers should be transparent about the services that they offer, with clearly stated service-level agreements. At the same time, enterprises need to assume responsibility to ensure that mission critical business processes are safely supported by on-demand technology to minimize the loss of service and data loss.

Compliance: Just as with traditional back office applications, compliance is key.

• Sarbanes-Oxley (SOX) Act
  • The Act provides for new levels of auditor independence; personal accountability for CEOs and CFOs; additional accountability for corporate Boards; increased criminal and civil penalties for securities violations; increased disclosure regarding executive compensation, insider trading and financial statements; and certification of internal audit work by external auditors.
  • Security compliance on the ground rules of SOX and other governing acts is very important for any enterprise application, and for Cloud enabled applications it is even more important and in fact an utmost priority. There should be no tolerance on auditing, logging and reporting aspects of any SaaS applications and a 100% compliance only will enforce confidence and a more rapid adoption of Cloud.

  Health Insurance Portability and Accountability Act (HIPAA)

  • The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or the PHI (Personal Health Information).
  • Given the heavy industry regulation, it is important for health professionals to determine if cloud computing can provide them a secure, reliable, scalable, and inexpensive computing platform that can be used to facilitate healthcare customers’ HIPAA-compliant applications and data.

  Payment Card Industry Data Security Standard (PCI DSS)

  • The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
  • While the current PCI DSS makes no mention of virtualization or cloud computing, it does establish the core concepts of securing cardholder information. With that, there is no reason that the 12 PCI requirements can’t be applied to cloud computing and virtualization. Even in the absence of specific PCI directives, enterprises utilizing virtualization should still be able to provide adequate security.

  Federal Information Security Management Act (FISMA)

  • The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
  • Meeting the requirements of FISMA is an important security requirement for US Federal agencies and there are significant challenges to embracing the cloud with the goal of security and FISMA compliance. Among these barriers are defining system audit boundaries, who is responsible for audits, and how federal agencies can achieve security in a shared cloud computing environment. Cloud companies that have been FISMA certified include: Salesforce, Google and Microsoft.