This guest post is written by Paul Reymann, CEO and founder of the Reymann Group. He is one of the nation’s leading regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Security rule. He is also the author of numerous articles and papers on technology risk, transactional web sites, customer information, network security and other technology and safety and soundness topics.
On November 2, 2009, I was invited by the banking regulators to participate in a Cloud Computing Symposium at Treasury. The goal of the event was to explore the potential need for supplemental regulation or guidance for the cloud. Today, I want to share:
1. A few key discussion topics from the event;
2. My views of future potential regulatory guidance; and
3. A timely document from the Cloud Security Alliance.
1. Important Topics
There was a lot of helpful discussion about the security risk to sensitive data, especially in a multi-tenant environment. To put it simply, we are traveling into uncharted territory when it comes to security compliance in the cloud. The debate ranged from:
- It is not possible
- It is possible but reduces the cost savings benefits of the cloud
- It is possible with the right architecture and solutions.
My take-a-way was that the right answer is some where between the later two possibilities.
2. Potential Increases Regulatory Focus
While the regulators have not published any formal guidance, I think it is reasonable to anticipate that we are going to see increased “independent auditor” and “regulatory examiner” attention going forward on IT risk management topics such as:
- Verification of how the sensitive data is protected in the cloud for each client.
- Stronger contract language for SLA, data security, disaster recovery, etc.
- Due Diligence of the cloud vendors (This is going to take vendor management to new heights. It will drive the need for each vendor to be knowledgeable about the industry, compliance challenges, security risks and challenges especially in the cloud, and intelligent and real-time risk mitigation practices.)
- Security at the application layer, especially as it relates to Web 2.0 and the increased security risk from applications that are outside the control of the client and perhaps even the cloud vendor.
- Stronger identity management.
4. A Must Read Document
If you want to jumpstart your efforts to establish a foundation of knowledge for prudent practices for security the cloud, I recommend that you download and read a copy of the Cloud Security Alliance Guidelines. http://www.cloudsecurityalliance.org/ It is a good model to start with.
If anyone has any other recommend guidelines for managing information security and technology risk in the cloud, please share it. The rate of Cloud adoption is going to be fast. So we need the best brakes we can find to help us control it. All of us need to take steps now to come up to speed, but under control.
Remember, these are just my thoughts, but I think they make sense from a continuous risk management perspective.
I hope they help you.