Folks,

The Compliance landscape of Clouds looks VERY MURKY.

The fundamental problem is the Criminal Penalties associated with
non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the
integrity of the financial information and also the integrity of the
controls in place.

Not only they have to signoff on the integrity of both, external auditors
have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some
interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and
maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is
responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but
definitely not criminal penalties. I do not think the law would allow a CSP
to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance
responsibilities and liabilities associated with non-compliance between the
CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes
the law in such way that the penalties are levied on the parties RESPONSIBLE
for the integrity of the controls and the financial information. If the
controls fail CSP goes to jail, if the financial information is fudged the
CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves...

The adoption and migration of enterprises to pubic clouds could depend a lot
on this.

Other alternative is, do not move the compliance systems to the clouds at
all...until the legislature catches up with the technology.

Sounds like an opportunity for a Storage Brokerage as a Service Provider and
local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage
brokerage software. Brokerage maintains enterprise-specific storage policy
and SLAs. Brokerage also specifies target repositories for stored
information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced
for audit, policy adjusted for associated information classified through
metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise
SAN for enterprise, mattress for consumer). Keep the family jewels and
photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for
processes. If this data is so important, assign a "custodian" responsible
for maintaining information metadata. Heck, most companies do this kind of
item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical
information.Additional policies to allow storage arbitrage - if Wells
Fargo's storage repository rates drop, substitute them as SP "A" and drop
"Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not
just a military concept.

Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's
MattressInTheCloud.

Dave

On Fri, May 1, 2009 at 12:50 PM, Rao Dronamraju <

The main difficulty with compliance of a law, that you are so concerned
about,  is that the laws are made with knowledge of the previous technology
and they may not be suitable for a new one that flourishes. In general the
new technology cannot provide all the advantages if it has to meet the old
law. Thus there is a chicken and egg problem which I feel the lawyer
community has to solve. That is to make laws with technology change in mind.
Perhaps the new administration, with its technology savviness, will try to
look into this age old problem.

-satish

Good point. My CEO said in the Under Radar Event that one of the  biggest
problems of moving workload & data in the clouds is to be compliant with the
law. People started laughing...

I'm an engineer and I think we have to deliver the best enough solution, and
let the legal issues to the lawyers. But, if one of the goals of IaaS is to
simplify things to the Cloud Users, and as a side effect we are making
things more difficult in terms of compliance with the laws, then the
transition to the cloud can fail, or at least slow down.

As happened with SOX, a new kind of services wil flourish around the Cloud.

Diego Parrilla Santamaría
Business Development Manager & Product Technology Strategist at Abiquo.
+34 620 57 81 46
mailto:dparri...@abiquo.com
skype:diegoparrilla
www.abiquo.com

On Fri, May 1, 2009 at 7:50 PM, Rao Dronamraju <rao.dronamr...@sbcglobal.net

Satish

Whats interesting about your comment on the lawyer community must change -
reality that is not going to happen. Each region; geographic, national, or
local has their own laws. I am referring to Germany laws are far more strict
then that of Australia; while Massachusetts privacy laws are far more strict
about privacy then say Iowa.

Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a
local Safe Hard bridge to say Germany?

Sadly the reality is no. The question of Privacy remains and which privacy
laws must I adher to? All of them? Some of them? Target markets? Amazon has
a European Cloud but is that a stop gap or a reality of compromises between
the clouds? Also securing your data (inflight or at rest) is not a
governance/compliance get out of jail card. When companies say they are
SAS-70 2; great but will that hold up in Uraguy courts (probably not). So
what is the answer? Well right now each "Cloud" contract is being treated as
an outsourcing contract. Will that scale? Time will tell but in the meantime
if Cloud expands then being a contract lawyer is the place to be.  But
question I have for the vendors who are bridging mulitple cloud access
methods via multiple IaaS providors. and providing a service. How will those
contracts be structured?

The question I have is - does it matter where your data is? The answer is
yes but I had hopes that the Privacy Group meeting in Madrid - October 09;
would create an attempt at general standards which in turn would allow for
cross border clouds. Not sure the url is right now but if someone wants to
find the conference url please do. From memory the agenda is scaled back and
getting agreement on a global standards will have to wait for another year.
Which means the governance question will remain for another year. Will the
lack of Cloud Standards also remain as well?

More and more I think about it. The regulators that we say must change are
lawyers by trade. We are technical folks demanding change to open the true
potential of cloud but are constricted by the ambiguity and fear of terms
like "reasonable". Who wants to sign up and work with the lawyers so the
regulations can be modified to the technical opportunities? Willing them to
change isn't going to happen.

Brian

This is a really refreshing thread - an area that keeps me up at night and I must say needs more understanding and attention across the board from vendors, analysts, auditors, and customers a like.  I am working on a series of activities in this area to help promote education and understanding based on participating in various audit groups, customer research, and expert interactions to date.  I would love to get feedback from this group on what you are seeing, doing - about implementing strong controls for virtualization in your Cloud initiatives.

I just started a blog to help share additional information and resources on topics such as this and how virtualizationis impacting traditional systems from BSM, Compliance, and Config Automation - http://universalclient.blogspot.com/.

Below is an excerpt - the blog itself has links to webcasts, places to get details on recent study I worked on with ITPI regarding this very topic across several hundred companies from CXO level down.

Compliance is an interesting element in it's own right with many twists and turns depending on the industry (healthcare, financial services, manufacturing, etc), type of company, what technology is in place, whether it is actually used in a way that adhere's to COBIT and for outsourcing the controls the outsourcer has placed and if they adhere to pass a SAS70 Audit. 

Yes - SOX does say that the CXO will go to jail if they do not adhere to proper controls and conform to the standards identified by NIST to do so.  Truth be told very few have actually gone to jail although several companies (527 in the first year according to IT Governance Institute) have had material discrepancies - their CXOs have not seen much in the way of jail time.  The real teeth around SOX is having to post in a public place like the Wall Street Journal and the impact on the stock etc is a much bigger driver.  Companies typically have time to clean up their act and fix the material discrepancy.  The actual act itself is very ambigious and doesn't actually define all the components but leaves that up to NIST and COBIT (not to mention additional flexibility for auditors) to deem whether a company is in compliance.  It is the system, manual or automated - that enables compliance not technology. 

for more see  - http://universalclient.blogspot.com/.

Regards,
Jeanne

www.installfree.com

 

________________________________
From: dave corley <dcorle...@gmail.com>
To: cloud-computing@googlegroups.com
Sent: Friday, May 1, 2009 11:34:34 AM
Subject: [ Cloud Computing ] Re: Clouds and Compliance

Sounds like an opportunity for a Storage Brokerage as a Service Provider and local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage brokerage software. Brokerage maintains enterprise-specific storage policy and SLAs. Brokerage also specifies target repositories for stored information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced for audit, policy adjusted for associated information classified through metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise SAN for enterprise, mattress for consumer). Keep the family jewels and photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for processes. If this data is so important, assign a "custodian" responsible for maintaining information metadata. Heck, most companies do this kind of item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical information.Additional policies to allow storage arbitrage - if Wells Fargo's storage repository rates drop, substitute them as SP "A" and drop "Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not just a military concept.

Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's MattressInTheCloud.

Dave

Folks,
 
The Compliance landscape of Clouds looks VERY MURKY.
 
The fundamental problem is the Criminal Penalties associated with non-compliance although Civil Penalties are also equally troublesome.
 
For instance, Sarbanes Oxley says, the CXOs are responsible for the integrity of the financial information and also the integrity of the controls in place.
 
Not only they have to signoff on the integrity of both, external auditors have to attest to the authenticity and integrity.
 
So if and when enterprises plan to move to public clouds, there are some interesting situations one would run into.
 
If suppose there is non-compliance in the establishment, management and maintenance of the controls, who would be responsible?....
 
The CSP or the CXO of the enterprise?....
 
Similarly, if the integrity of the financial information is breached, who is responsible?....
 
Remember there are criminal penalties involved not just civil penalties?....
 
Can any of these be fixed with SLAs?....probably the civil penalties but definitely not criminal penalties. I do not think the law would allow a CSP to go to prison in place of a CXO.
 
May be some legal expert in the group can speak to it.
 
So the interesting problem here is, how would you distribute the compliance responsibilities and liabilities associated with non-compliance between the CXOs and the CSPs?....
 
The only way seems to be through legislation. Unless the legislature changes the law in such way that the penalties are levied on the parties RESPONSIBLE for the integrity of the controls and the financial information. If the controls fail CSP goes to jail, if the financial information is fudged the CXO goes to jail.
 
How likely is this to happen?.....
 
How soon cloud this happen?....We all know how fast the legislature moves…..
 
The adoption and migration of enterprises to pubic clouds could depend a lot on this.
 
Other alternative is, do not move the compliance systems to the clouds at all…..until the legislature catches up with the technology.
 
 
 
 
 

"Who wants to sign up and work with the lawyers so the regulations can be
modified to the technical opportunities? Willing them to change isn't going
to happen."

Exactly.

Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs
are not going to come forward and place their compliance systems in a public
cloud as long as they have the 100% of the compliance responsibility is with
them..so this company just yet does not have the SaaS market..may be in 6 to
12 months..

If someone knows of a case where a corporation has gone ahead and using a
SaaS compliance solution in the public cloud please let me know..I am very
interested in learning their business case including the legal case..

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of brian cinque
Sent: Friday, May 01, 2009 7:29 PM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

Satish

Whats interesting about your comment on the lawyer community must change -
reality that is not going to happen. Each region; geographic, national, or
local has their own laws. I am referring to Germany laws are far more strict
then that of Australia; while Massachusetts privacy laws are far more strict
about privacy then say Iowa.

Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a
local Safe Hard bridge to say Germany?

Sadly the reality is no. The question of Privacy remains and which privacy
laws must I adher to? All of them? Some of them? Target markets? Amazon has
a European Cloud but is that a stop gap or a reality of compromises between
the clouds? Also securing your data (inflight or at rest) is not a
governance/compliance get out of jail card. When companies say they are
SAS-70 2; great but will that hold up in Uraguy courts (probably not). So
what is the answer? Well right now each "Cloud" contract is being treated as
an outsourcing contract. Will that scale? Time will tell but in the meantime
if Cloud expands then being a contract lawyer is the place to be.  But
question I have for the vendors who are bridging mulitple cloud access
methods via multiple IaaS providors. and providing a service. How will those
contracts be structured?

The question I have is - does it matter where your data is? The answer is
yes but I had hopes that the Privacy Group meeting in Madrid - October 09;
would create an attempt at general standards which in turn would allow for
cross border clouds. Not sure the url is right now but if someone wants to
find the conference url please do. From memory the agenda is scaled back and
getting agreement on a global standards will have to wait for another year.
Which means the governance question will remain for another year. Will the
lack of Cloud Standards also remain as well?

More and more I think about it. The regulators that we say must change are
lawyers by trade. We are technical folks demanding change to open the true
potential of cloud but are constricted by the ambiguity and fear of terms
like "reasonable". Who wants to sign up and work with the lawyers so the
regulations can be modified to the technical opportunities? Willing them to
change isn't going to happen.

Brian

The main difficulty with compliance of a law, that you are so concerned
about,  is that the laws are made with knowledge of the previous technology
and they may not be suitable for a new one that flourishes. In general the
new technology cannot provide all the advantages if it has to meet the old
law. Thus there is a chicken and egg problem which I feel the lawyer
community has to solve. That is to make laws with technology change in mind.
Perhaps the new administration, with its technology savviness, will try to
look into this age old problem.

-satish

Sounds like an opportunity for a Storage Brokerage as a Service Provider and
local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage
brokerage software. Brokerage maintains enterprise-specific storage policy
and SLAs. Brokerage also specifies target repositories for stored
information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced
for audit, policy adjusted for associated information classified through
metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise
SAN for enterprise, mattress for consumer). Keep the family jewels and
photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for
processes. If this data is so important, assign a "custodian" responsible
for maintaining information metadata. Heck, most companies do this kind of
item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical
information.Additional policies to allow storage arbitrage - if Wells
Fargo's storage repository rates drop, substitute them as SP "A" and drop
"Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not
just a military concept.

Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's
MattressInTheCloud.

Dave

On Fri, May 1, 2009 at 12:50 PM, Rao Dronamraju

Folks,

The Compliance landscape of Clouds looks VERY MURKY.

The fundamental problem is the Criminal Penalties associated with
non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the
integrity of the financial information and also the integrity of the
controls in place.

Not only they have to signoff on the integrity of both, external auditors
have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some
interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and
maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is
responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but
definitely not criminal penalties. I do not think the law would allow a CSP
to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance
responsibilities and liabilities associated with non-compliance between the
CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes
the law in such way that the penalties are levied on the parties RESPONSIBLE
for the integrity of the controls and the financial information. If the
controls fail CSP goes to jail, if the financial information is fudged the
CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves...

The adoption and migration of enterprises to pubic clouds could depend a lot
on this.

Other alternative is, do not move the compliance systems to the clouds at
all...until the legislature catches up with the technology.

"Truth be told very few have actually gone to jail although several
companies (527 in the first year according to IT Governance Institute) have
had material discrepancies - their CXOs have not seen much in the way of
jail time."

Yes you are right. I do think going to jail is a rarity. I mentioned it just
as an extreme example.as they say plan for the worst and hope for the
best..for the CXO just in case..

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of Jeanne Morain
Sent: Friday, May 01, 2009 8:40 PM
To: cloud-computing@googlegroups.com
Cc: Kurt Milne; scott.alldri...@ipservices.com; dschoenb...@tripwire.com;
g...@tripwire.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

This is a really refreshing thread - an area that keeps me up at night and I
must say needs more understanding and attention across the board from
vendors, analysts, auditors, and customers a like.  I am working on a series
of activities in this area to help promote education and understanding based
on participating in various audit groups, customer research, and expert
interactions to date.  I would love to get feedback from this group on what
you are seeing, doing - about implementing strong controls for
virtualization in your Cloud initiatives.

I just started a blog to help share additional information and resources on
topics such as this and how virtualizationis impacting traditional systems
from BSM, Compliance, and Config Automation -
<http://universalclient.blogspot.com/> http://universalclient.blogspot.com/.

Below is an excerpt - the blog itself has links to webcasts, places to get
details on recent study I worked on with ITPI regarding this very topic
across several hundred companies from CXO level down.

Compliance is an interesting element in it's own right with many twists and
turns depending on the industry (healthcare, financial services,
manufacturing, etc), type of company, what technology is in place, whether
it is actually used in a way that adhere's to COBIT and for outsourcing the
controls the outsourcer has placed and if they adhere to pass a SAS70 Audit.

Yes - SOX does say that the CXO will go to jail if they do not adhere to
proper controls and conform to the standards identified by NIST to do so.
Truth be told very few have actually gone to jail although several companies
(527 in the first year according to IT Governance Institute) have had
material discrepancies - their CXOs have not seen much in the way of jail
time.  The real teeth around SOX is having to post in a public place like
the Wall Street Journal and the impact on the stock etc is a much bigger
driver.  Companies typically have time to clean up their act and fix the
material discrepancy.  The actual act itself is very ambigious and doesn't
actually define all the components but leaves that up to NIST and COBIT (not
to mention additional flexibility for auditors) to deem whether a company is
in compliance.  It is the system, manual or automated - that enables
compliance not technology.  

for more see  -  <http://universalclient.blogspot.com/>
http://universalclient.blogspot.com/.

Regards,
Jeanne

www.installfree.com

 <http://universalclient.blogspot.com/>  

  _____  

From: dave corley <dcorle...@gmail.com>
To: cloud-computing@googlegroups.com
Sent: Friday, May 1, 2009 11:34:34 AM
Subject: [ Cloud Computing ] Re: Clouds and Compliance

Sounds like an opportunity for a Storage Brokerage as a Service Provider and
local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage
brokerage software. Brokerage maintains enterprise-specific storage policy
and SLAs. Brokerage also specifies target repositories for stored
information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced
for audit, policy adjusted for associated information classified through
metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise
SAN for enterprise, mattress for consumer). Keep the family jewels and
photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for
processes. If this data is so important, assign a "custodian" responsible
for maintaining information metadata. Heck, most companies do this kind of
item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical
information.Additional policies to allow storage arbitrage - if Wells
Fargo's storage repository rates drop, substitute them as SP "A" and drop
"Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not
just a military concept.

Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's
MattressInTheCloud.

Dave

On Fri, May 1, 2009 at 12:50 PM, Rao Dronamraju

Folks,

The Compliance landscape of Clouds looks VERY MURKY.

The fundamental problem is the Criminal Penalties associated with
non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the
integrity of the financial information and also the integrity of the
controls in place.

Not only they have to signoff on the integrity of both, external auditors
have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some
interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and
maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is
responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but
definitely not criminal penalties. I do not think the law would allow a CSP
to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance
responsibilities and liabilities associated with non-compliance between the
CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes
the law in such way that the penalties are levied on the parties RESPONSIBLE
for the integrity of the controls and the financial information. If the
controls fail CSP goes to jail, if the financial information is fudged the
CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves...

The adoption and migration of enterprises to pubic clouds could depend a lot
on this.

Other alternative is, do not move the compliance systems to the clouds at
all...until the legislature catches up with the technology.

"Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model."

Sorry.typo..that should have said ISV not ISP..

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of Rao Dronamraju
Sent: Saturday, May 02, 2009 12:53 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

"Who wants to sign up and work with the lawyers so the regulations can be
modified to the technical opportunities? Willing them to change isn't going
to happen."

Exactly.

Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs
are not going to come forward and place their compliance systems in a public
cloud as long as they have the 100% of the compliance responsibility is with
them..so this company just yet does not have the SaaS market..may be in 6 to
12 months..

If someone knows of a case where a corporation has gone ahead and using a
SaaS compliance solution in the public cloud please let me know..I am very
interested in learning their business case including the legal case..

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of brian cinque
Sent: Friday, May 01, 2009 7:29 PM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

Satish

Whats interesting about your comment on the lawyer community must change -
reality that is not going to happen. Each region; geographic, national, or
local has their own laws. I am referring to Germany laws are far more strict
then that of Australia; while Massachusetts privacy laws are far more strict
about privacy then say Iowa.

Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a
local Safe Hard bridge to say Germany?

Sadly the reality is no. The question of Privacy remains and which privacy
laws must I adher to? All of them? Some of them? Target markets? Amazon has
a European Cloud but is that a stop gap or a reality of compromises between
the clouds? Also securing your data (inflight or at rest) is not a
governance/compliance get out of jail card. When companies say they are
SAS-70 2; great but will that hold up in Uraguy courts (probably not). So
what is the answer? Well right now each "Cloud" contract is being treated as
an outsourcing contract. Will that scale? Time will tell but in the meantime
if Cloud expands then being a contract lawyer is the place to be.  But
question I have for the vendors who are bridging mulitple cloud access
methods via multiple IaaS providors. and providing a service. How will those
contracts be structured?

The question I have is - does it matter where your data is? The answer is
yes but I had hopes that the Privacy Group meeting in Madrid - October 09;
would create an attempt at general standards which in turn would allow for
cross border clouds. Not sure the url is right now but if someone wants to
find the conference url please do. From memory the agenda is scaled back and
getting agreement on a global standards will have to wait for another year.
Which means the governance question will remain for another year. Will the
lack of Cloud Standards also remain as well?

More and more I think about it. The regulators that we say must change are
lawyers by trade. We are technical folks demanding change to open the true
potential of cloud but are constricted by the ambiguity and fear of terms
like "reasonable". Who wants to sign up and work with the lawyers so the
regulations can be modified to the technical opportunities? Willing them to
change isn't going to happen.

Brian

The main difficulty with compliance of a law, that you are so concerned
about,  is that the laws are made with knowledge of the previous technology
and they may not be suitable for a new one that flourishes. In general the
new technology cannot provide all the advantages if it has to meet the old
law. Thus there is a chicken and egg problem which I feel the lawyer
community has to solve. That is to make laws with technology change in mind.
Perhaps the new administration, with its technology savviness, will try to
look into this age old problem.

-satish

Sounds like an opportunity for a Storage Brokerage as a Service Provider and
local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage
brokerage software. Brokerage maintains enterprise-specific storage policy
and SLAs. Brokerage also specifies target repositories for stored
information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced
for audit, policy adjusted for associated information classified through
metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise
SAN for enterprise, mattress for consumer). Keep the family jewels and
photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for
processes. If this data is so important, assign a "custodian" responsible
for maintaining information metadata. Heck, most companies do this kind of
item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical
information.Additional policies to allow storage arbitrage - if Wells
Fargo's storage repository rates drop, substitute them as SP "A" and drop
"Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not
just a military concept.

Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's
MattressInTheCloud.

Dave

On Fri, May 1, 2009 at 12:50 PM, Rao Dronamraju

Folks,

The Compliance landscape of Clouds looks VERY MURKY.

The fundamental problem is the Criminal Penalties associated with
non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the
integrity of the financial information and also the integrity of the
controls in place.

Not only they have to signoff on the integrity of both, external auditors
have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some
interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and
maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is
responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but
definitely not criminal penalties. I do not think the law would allow a CSP
to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance
responsibilities and liabilities associated with non-compliance between the
CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes
the law in such way that the penalties are levied on the parties RESPONSIBLE
for the integrity of the controls and the financial information. If the
controls fail CSP goes to jail, if the financial information is fudged the
CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves...

The adoption and migration of enterprises to pubic clouds could depend a lot
on this.

Other alternative is, do not move the compliance systems to the clouds at
all...until the legislature catches up with the technology.

I feel that the lawyers will NEVER do it is too strong. It aint going to
happen is stonger. I belive they didn't know that the problem exists. It may
take time for them to recognize the problem and then come up with
regulations to solve it. Law has always been behind the technology
development. So how long it will take then i the question?

Note exchanging health records electronically and compliance with HIPPA is a
big problem. The present government is making progress to overcome that by
trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH
has research grants to come with solutions that allows for increased
compliance. I hope if the solution is very difficult then HIPPA requirements
may have to be changed. It will take time.

"

Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs
are not going to come forward and place their compliance systems in a public
cloud as long as they have the 100% of the compliance responsibility is with
them….so this company just yet does not have the SaaS market….may be in 6 to
12 months…."

The problem here, I believe. is one of verification. If the CXO is 100%
guaranteed and convinced that the ISP solution is compliant then he will
have no problem outsourcing.  Remember he has to believe his own IT people
and their system being compliant. Can the ISP convince him that their system
is "SAME" as the internal system? There lies the problem.
Let us take a simple problem. Toys sold in US have to be compliant with
certain safety standards. Mattel outsources the manufacturing to China and
takes the responsibility of compliance with US laws. (They did have problem
with a particular toy recently and the product was recalled.) Also, I do
understand, the requirements on toys safety are not as complex as the
problem we are discussing.

So the question is can we build software systems that are compliant with
complex law and guarantee their behavior? We all have our own opinions and
experiences with regards to software verification technology. It also has a
long way to go.

-satish

On Fri, May 1, 2009 at 11:52 PM, Rao Dronamraju <

...

read more »

"The problem here, I believe. is one of verification. If the CXO is 100%
guaranteed and convinced that the ISP solution is compliant then he will
have no problem outsourcing.  Remember he has to believe his own IT people
and their system being compliant. Can the ISP convince him that their system
is "SAME" as the internal system? There lies the problem."

No, the problem in cloud scenario is, CONTROL and VISIBILITY..on his/her own
premise, he has a LOT of CONTROL and VISIBILITY. He/She is directly
responsible for the CONSEQUENCES of anything going wrong in terms of
compliance. In cloud scenario, that responsibility has PARTIALLY shifted to
the CSP. The CXO is still responsible for the content and authenticity of
the financial information.

I am not sure why lawyers would be interested in fixing this?....The stake
holders here are the companies, CSPs and the government..they are the ones
who are most benefited by clouds.

Ofcourse, the lawyers employed by them will work out the legal issues.

Would the govt. by itself look into this?....don't know..

Your example of toy manufacturing and compliance is a good example to
convince the CXOs that outsourcing compliance is in practice and working.

"NIH has research grants to come with solutions that allows for increased
compliance. I hope if the solution is very difficult then HIPPA requirements
may have to be changed. It will take time."

Government can wait..they don't run on making profits..for businesses TIME
IS PROFITS..they cannot wait..they have to take the initiative and
leadership and make things happen.

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of satish rege
Sent: Saturday, May 02, 2009 10:15 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

I feel that the lawyers will NEVER do it is too strong. It aint going to
happen is stonger. I belive they didn't know that the problem exists. It may
take time for them to recognize the problem and then come up with
regulations to solve it. Law has always been behind the technology
development. So how long it will take then i the question?

Note exchanging health records electronically and compliance with HIPPA is a
big problem. The present government is making progress to overcome that by
trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH
has research grants to come with solutions that allows for increased
compliance. I hope if the solution is very difficult then HIPPA requirements
may have to be changed. It will take time.

"

Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs
are not going to come forward and place their compliance systems in a public
cloud as long as they have the 100% of the compliance responsibility is with
them..so this company just yet does not have the SaaS market..may be in 6 to
12 months.."

The problem here, I believe. is one of verification. If the CXO is 100%
guaranteed and convinced that the ISP solution is compliant then he will
have no problem outsourcing.  Remember he has to believe his own IT people
and their system being compliant. Can the ISP convince him that their system
is "SAME" as the internal system? There lies the problem.

Let us take a simple problem. Toys sold in US have to be compliant with
certain safety standards. Mattel outsources the manufacturing to China and
takes the responsibility of compliance with US laws. (They did have problem
with a particular toy recently and the product was recalled.) Also, I do
understand, the requirements on toys safety are not as complex as the
problem we are discussing.

So the question is can we build software systems that are compliant with
complex law and guarantee their behavior? We all have our own opinions and
experiences with regards to software verification technology. It also has a
long way to go.

-satish

On Fri, May 1, 2009 at 11:52 PM, Rao Dronamraju

"Who wants to sign up and work with the lawyers so the regulations can be
modified to the technical opportunities? Willing them to change isn't going
to happen."

Exactly.

Today I know an ISP who has an excellent compliance solution and good
market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs
are not going to come forward and place their compliance systems in a public
cloud as long as they have the 100% of the compliance responsibility is with
them..so this company just yet does not have the SaaS market..may be in 6 to
12 months..

If someone knows of a case where a corporation has gone ahead and using a
SaaS compliance solution in the public cloud please let me know..I am very
interested in learning their business case including the legal case..

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of brian cinque
Sent: Friday, May 01, 2009 7:29 PM

To: cloud-computing@googlegroups.com

Subject: [ Cloud Computing ] Re: Clouds and Compliance

Satish

Whats interesting about your comment on the lawyer community must change -
reality that is not going to happen. Each region; geographic, national, or
local has their own laws. I am referring to Germany laws are far more strict
then that of Australia; while Massachusetts privacy laws are far more strict
about privacy then say Iowa.

Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a
local Safe Hard bridge to say Germany?

Sadly the reality is no. The question of Privacy remains and which privacy
laws must I adher to? All of them? Some of them? Target markets? Amazon has
a European Cloud but is that a stop gap or a reality of compromises between
the clouds? Also securing your data (inflight or at rest) is not a
governance/compliance get out of jail card. When companies say they are
SAS-70 2; great but will that hold up in Uraguy courts (probably not). So
what is the answer? Well right now each "Cloud" contract is being treated as
an outsourcing contract. Will that scale? Time will tell but in the meantime
if Cloud expands then being a contract lawyer is the place to be.  But
question I have for the vendors who are bridging mulitple cloud access
methods via multiple IaaS providors. and providing a service. How will those
contracts be structured?

The question I have is - does it matter where your data is? The answer is
yes but I had hopes that the Privacy Group meeting in Madrid - October 09;
would create an attempt at general standards which in turn would allow for
cross border clouds. Not sure the url is right now but if someone wants to
find the conference url please do. From memory the agenda is scaled back and
getting agreement on a global standards will have to wait for another year.
Which means the governance question will remain for another year. Will the
lack of Cloud Standards also remain as well?

More and more I think about it. The regulators that we say must change are
lawyers by trade. We are technical folks demanding change to open the true
potential of cloud but are constricted by the ambiguity and fear of terms
like "reasonable". Who wants to sign up and work with the lawyers so the
regulations can be modified to the technical opportunities? Willing them to
change isn't going to happen.

Brian

The main difficulty with compliance of a law, that you are so concerned
about,  is that the laws are made with knowledge of the previous technology
and they may not be suitable for a new one that flourishes. In general the
new technology cannot provide all the advantages if it has to meet the old
law. Thus there is a chicken and egg problem which I feel the lawyer
community has to solve. That is to make laws with technology change in mind.
Perhaps the new administration, with its technology savviness, will try to
look into this age old problem.

-satish

Sounds like an opportunity for a Storage Brokerage as a Service Provider and
local storage product (NAS and SAN) vendors.

Storage Brokerage as a Service Provider - host EMC Atmos or similar storage
brokerage software. Brokerage maintains enterprise-specific storage policy
and SLAs. Brokerage also specifies target repositories for stored
information based upon metadata contained within file/information.

If super-collossal-critical-SOX-compliance data is required to be produced
for audit, policy adjusted for associated information classified through
metadata as "compliancy-important" as follows:
1. Primary backup to local store (premise NAS for small business, premise
SAN for enterprise, mattress for consumer). Keep the family jewels and
photos of the kids so
2. Secondary backup to storage repository SP "A".
3. Tertiary backup to storage repository SP "B"
4. Encrypt all data AES256 prior to all backups
5. Establish policy/process, train your IT folks/VARs responsible for
processes. If this data is so important, assign a "custodian" responsible
for maintaining information metadata. Heck, most companies do this kind of
item 'marking' for inventory control.
6. Data integrity monitor frequency - every X days
7. Data loss reporting - within Y hours.

Other less expensive/expansive policy applied to less critical
information.Additional policies to allow storage arbitrage - if Wells
Fargo's storage repository rates drop, substitute them as SP "A" and drop
"Fred's MattressInTheCloud". ...

read more »

Here are some counter arguments and questions...

"No, the problem in cloud scenario is, CONTROL and VISIBILITY…....."

Can we solve this problem by SLAs?

Also, if I think about it, control and visibility are psychological
problems. Some CXO's are more controlling than others. Some need more
visibility than others. Compliance will be another reason (excuse?), and not
the sole reason, for which they will not outsource.

If outsourcing is profitable, and as you say businesses are for profit, then
a CXO has to make tradeoffs between having less profit and in house
implementation vs. a cloud solution. The ultimate control and visibility
that a CXO needs will have to be satisfied with final in-house inspections
on the outsourced product and SLAs to gain the profitability.

I don't want to go into a discussion on government, businesses, government
regulation, business profitability and all the pros and cons of that on this
thread. We have some glaring examples and answers on these issues from the
economic disaster that we have lately seen.

Regulations are here to stay and they will mostly (or almost always) be
behind the technology. My question is-  Do we have confidence in our
software technology and solutions that they:
 1. meet the necessary regulations?,  and
 2. overcome the psychological issues such as ownership, which makes a human
(e.g. CXO) feel in control and feel they have visibility.

-satish

On Sat, May 2, 2009 at 10:05 AM, Rao Dronamraju <

...

read more »

From the thread - there is a lot of time and thought on specific projects that were going through that the "auditors" may not have informed those on the thread of all the pieces and some of the industry wide misperceptions from vendors that did not bother to take the time to educate themselves on the acts, NIST, etc have propagated.  As a result- there are some misperceptions on compliance, how it can be hosted in the cloud, and the consequences.

The types of compliance and their requirements vary.  The thread below is mixing HIPAA, SOX, etc.  That is only applicable for public companies that deal with patient information (Insurance, Hospitals, Device Manufacturers).  Different industries are impacted by different types of regulations (Financial services for example has Office of Thrift Supervision, SOX, Graham Leach Bliley, Basel I & II, PCI, etc)  Healthcare also is overseen by the FDA because hospitals manufacture blood for example. 

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had solutions around various verticals that are highly regulated after the legislation passed(Government, Financial Services, and Healthcare - HIPAA and SOX).  SAS70 is the audit control for those smaller SMBs/SMEs that most hosted solution providers provide to audit and to the companies they serve to prove that data is encrypted, isolated and safe.  This is a practice that has matured over the years and there are many good documented "How to Guides"  - www.itpi.org - for Visible Ops series.  I am copying one of the co-authors and a formidable expert in this area - in case he would like to comment.

Yes CXOs need visibility into their organization to comply with SOX - that is ONLY for public companies.  For example, large private healthcares - do not have to worry about SOX.  HIPAA is different as is PCI because they affect anyone in contact with personal information (health, financial).  HIPAA and other Personal Health Information Acts in Europe, Japan (which are more stringent) addresses access to patient information (health, billing, etc).  Depending on the PHI Act (such as Europe) some require that it be hosted in the country of origin, others are less stringent requiring that they be encrypted, access controlled, etc.  The outsourcer will need to provide SAS70 findings from an independant audit body of which the CXO needs to review.  The CXO will not go to jail but will more than likely move to a different MSP if the government finds material discrepancies.  They have time to clean them up particularly if it is something that
 resulted based on process or technology issue versus blatant fraud as what happened in the Enron case that brought about SOX.

One suggestion would be to actually read the regulations you are speaking about - see attachment for SOX.  It is not the regulations that require reform (many of them were generically written - not to a specific technology per se) but the prescriptive guideline controls such as COBIT (used by auditors to test the technical system) and frameworks like ITIL and ISO that do need to be adjusted.  That is not up to the politicians but the government commissions from NIST in the US - similar agencies in other countries to define and enhance.  New standards are forming and being added to ITIL (look at V3 that changed from V2 to add a DML - definitive media library over a DSL - definitive software library and more around federation) - why?  Because the technology evolved and changed. 

The biggest GAP here for the cloud is how newer technologies - like virtualization - impact those controls making it difficult to enforce some and others obsolete.  It is important to understand the risks of these new technologies for GRC (governance, risk and compliance) and either find perscriptive work arounds or select technologies that were created post regulations (after 2004) so that compliance and how it evolved with NIST will have a greater chance to being baked in as part of the architecture and not an afterthought until it is an issue.

It is not visibility as is stated - else the large outsourcers that have made a successful business off of healthcare verticals - would not still be in business.  More importantly most small doctor's office etc are less than 100 employees - they could not afford a big datacenter etc for compliance and need to look at alternative means like the cloud. 

The key here is to join groups like W3C that are defining Common Information Model or others that influence NIST direction, ITIL or COBIT reform (the majority uses ITIL framework or ISO).

Have a great weekend.

Cheers,
Jeanne
www.installfree.com

________________________________
From: Rao Dronamraju <rao.dronamr...@sbcglobal.net>
To: cloud-computing@googlegroups.com
Sent: Saturday, May 2, 2009 9:05:16 AM
Subject: [ Cloud Computing ] Re: Clouds and Compliance

“The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing.  Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.”
No, the problem in cloud scenario is, CONTROL and VISIBILITY….on his/her own premise, he has a LOT of CONTROL and VISIBILITY. He/She is directly responsible for the CONSEQUENCES of anything going wrong in terms of compliance. In cloud scenario, that responsibility has PARTIALLY shifted to the CSP. The CXO is still responsible for the content and authenticity of the financial information.
 
I am not sure why lawyers would be interested in fixing this?....The stake holders here are the companies, CSPs and the government….they are the ones who are most benefited by clouds.
Ofcourse, the lawyers employed by them will work out the legal issues.
 
Would the govt. by itself look into this?....don’t know….
 
Your example of toy manufacturing and compliance is a good example to convince the CXOs that outsourcing compliance is in practice and working.
 
“NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.”
 
Government can wait….they don’t run on making profits….for businesses TIME IS PROFITS….they cannot wait….they have to take the initiative and leadership and make things happen.
 

________________________________

From:cloud-computing@googlegroups.com [mailto: cloud-computing@googlegroups.com ] On Behalf Of satish rege
Sent: Saturday, May 02, 2009 10:15 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance
 
I feel that the lawyers will NEVER do it is too strong. It aint going to happen is stonger. I belive they didn't know that the problem exists. It may take time for them to recognize the problem and then come up with regulations to solve it. Law has always been behind the technology development. So how long it will take then i the question?

Note exchanging health records electronically and compliance with HIPPA is a big problem. The present government is making progress to overcome that by trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.

"
Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.
 
But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months…."
The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing.  Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.
Let us take a simple problem. Toys sold in US have to be compliant with certain safety standards. Mattel outsources the manufacturing to China and takes the responsibility of compliance with US laws. (They did have problem with a particular toy recently and the product was recalled.) Also, I do understand, the requirements on toys safety are not as complex as the problem we are discussing.

So the question is can we build software systems that are compliant with complex law and guarantee their behavior? We all have our own opinions and experiences with regards to software verification technology. It also has a long way to go.

-satish

“Who wants to sign up and work with the lawyers so the regulations can be modified to the technical opportunities? Willing them to change isn't going to happen.”
 
Exactly…
 
Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.
 
But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months….
 
If someone knows of a case where a corporation has gone ahead and using a SaaS compliance solution in the public cloud please let me know….I am very interested in learning their business case ...

read more »

sarbanesoxley072302[1].pdf 353K Download

Hi,

I do not understand the sentiment expressed in this thread that the law of
lawyers are holding anything up in terms of the development of cloud-based
services.

Another  example I can point to is the EEU requirement that data does not
leave the EEU. So, Amazon Web Services provides an option to ensure that the
data doesn't leave the EEU.  Of course, AWS charges more for that, so in
this case some regulations  are helping to drive revenues.

HIPAA does impost a host or regulations on medical records, but there are
SaaS EMR services available.

Cloud security is a legitimate area of concern, but some definitive work has
been done by the Cloud Security Alliance that published a document worth
reading
Cloud Security Alliance identifies key practices for secure adoption of
Cloud Computing <http://www.cloudsecurityalliance.org/pr20090422.html>

Writing secure internet applications is a challenge no matter what the
hosting  model - I recommend some serious reading at the OWASP
site<http://www.owasp.org>to learn more about what's involved in doing
that.

There are a few regulations in effect that do have some impact.  PCI plays
an emphasis on hosting your own data, so payments processors cannot use
public clouds.

Regards,

Fred.

...

read more »

Jeanne,

Thanks for the excellent detailed information and also the attachment. I am
only talking about SOX not about all other regulations.

I have read it before and the only things that are most applicable from the
whole 66 page documents are sections 302 and 404.

SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.

(a) REGULATIONS REQUIRED.-The Commission shall, by rule,

require, for each company filing periodic reports under section 13(a)

or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,

78o(d)), that the principal executive officer or officers and the principal

financial officer or officers, or persons performing similar

functions, certify in each annual or quarterly report filed or submitted

under either such section of such Act that-

(1) the signing officer has reviewed the report;

(2) based on the officer's knowledge, the report does not

contain any untrue statement of a material fact or omit to

state a material fact necessary in order to make the statements

made, in light of the circumstances under which such statements

were made, not misleading;

(3) based on such officer's knowledge, the financial statements,

and other financial information included in the report,

fairly present in all material respects the financial condition

and results of operations of the issuer as of, and for, the

periods presented in the report;

(4) the signing officers-

(A) are responsible for establishing and maintaining

internal controls;

In case of clouds, the CXOs do not establish and maintain internal controls.

The CSPs do it on behalf of the CXOs.

(B) have designed such internal controls to ensure

that material information relating to the issuer and its

consolidated subsidiaries is made known to such officers

by others within those entities, particularly during the

period in which the periodic reports are being prepared;

they do not have any control on the design of such internal controls in the
CSP environment.

(C) have evaluated the effectiveness of the issuer's

internal controls as of a date within 90 days prior to

the report; and

I suppose this can be done through auditors

(D) have presented in the report their conclusions

about the effectiveness of their internal controls based on

their evaluation as of that date;

(5) the signing officers have disclosed to the issuer's auditors

and the audit committee of the board of directors (or

persons fulfilling the equivalent function)-

(A) all significant deficiencies in the design or operation

of internal controls which could adversely affect the issuer's

ability to record, process, summarize, and report financial

data and have identified for the issuer's auditors any material

weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves

management or other employees who have a significant

role in the issuer's internal controls; and

(6) the signing officers have indicated in the report whether

or not there were significant changes in internal controls or

in other factors that could significantly affect internal controls

subsequent to the date of their evaluation, including any corrective

actions with regard to significant deficiencies and material

weaknesses.

So to me it seems, the way the law is written, it was never meant to take
into consideration outsourcing of compliance and hence the distribution of
responsibilities, accountabilities and liabilities.

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

(a) RULES REQUIRED.-The Commission shall prescribe rules

requiring each annual report required by section 13(a) or 15(d)

of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d))

to contain an internal control report, which shall-

(1) state the responsibility of management for establishing

and maintaining an adequate internal control structure and

procedures for financial reporting; and

So whose responsibility will this be in clouds?....CSP?...or CXO?....

(2) contain an assessment, as of the end of the most recent

fiscal year of the issuer, of the effectiveness of the internal

control structure and procedures of the issuer for financial

reporting.

This can be probably done through auditors again.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.-With

respect to the internal control assessment required by subsection

(a), each registered public accounting firm that prepares or issues

the audit report for the issuer shall attest to, and report on, the

assessment made by the management of the issuer. An attestation

made under this subsection shall be made in accordance with standards

for attestation engagements issued or adopted by the Board.

Any such attestation shall not be the subject of a separate engagement.

Whose assessment would this be?....CSP?....

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of Jeanne Morain
Sent: Saturday, May 02, 2009 1:15 PM
To: cloud-computing@googlegroups.com
Cc: scott.alldri...@ipservices.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

From the thread - there is a lot of time and thought on specific projects
that were going through that the "auditors" may not have informed those on
the thread of all the pieces and some of the industry wide misperceptions
from vendors that did not bother to take the time to educate themselves on
the acts, NIST, etc have propagated.  As a result- there are some
misperceptions on compliance, how it can be hosted in the cloud, and the
consequences.

The types of compliance and their requirements vary.  The thread below is
mixing HIPAA, SOX, etc.  That is only applicable for public companies that
deal with patient information (Insurance, Hospitals, Device Manufacturers).
Different industries are impacted by different types of regulations
(Financial services for example has Office of Thrift Supervision, SOX,
Graham Leach Bliley, Basel I & II, PCI, etc)  Healthcare also is overseen by
the FDA because hospitals manufacture blood for example.

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had
solutions around various verticals that are highly regulated after the
legislation passed(Government, Financial Services, and Healthcare - HIPAA
and SOX).  SAS70 is the audit control for those smaller SMBs/SMEs that most
hosted solution providers provide to audit and to the companies they serve
to prove that data is encrypted, isolated and safe.  This is a practice that
has matured over the years and there are many good documented "How to
Guides"  - www.itpi.org - for Visible Ops series.  I am copying one of the
co-authors and a formidable expert in this area - in case he would like to
comment.

Yes CXOs need visibility into their organization to comply with SOX - that
is ONLY for public companies.  For example, large private healthcares - do
not have to worry about SOX.  HIPAA is different as is PCI because they
affect anyone in contact with personal information (health, financial).
HIPAA and other Personal Health Information Acts in Europe, Japan (which are
more stringent) addresses access to patient information (health, billing,
etc).  Depending on the PHI Act (such as Europe) some require that it be
hosted in the country of origin, others are less stringent requiring that
they be encrypted, access controlled, etc.  The outsourcer will need to
provide SAS70 findings from an independant audit body of which the CXO needs
to review.  The CXO will not go to jail but will more than likely move to a
different MSP if the government finds material discrepancies.  They have
time to clean them up particularly if it is something that resulted based on
process or technology issue versus blatant fraud as what happened in the
Enron case that brought about SOX.

One suggestion would be to actually read the regulations you are speaking
about - see attachment for SOX.  It is not the regulations that require
reform (many of them were generically written - not to a specific technology
per se) but the prescriptive guideline controls such as COBIT (used by
auditors to test the technical system) and frameworks like ITIL and ISO that
do need to be adjusted.  That is not up to the politicians but the
government commissions from NIST in the US - similar agencies in other
countries to define and enhance.  New standards are forming and being added
to ITIL (look at V3 that changed from V2 to add a DML - definitive media
library over a DSL - definitive software library and more around federation)
- why?  Because the technology evolved and changed.  

The biggest GAP here for the cloud is how newer technologies - like
virtualization - impact those controls making it difficult to enforce some
and others obsolete.  It is important to understand the risks of these new
technologies for GRC (governance, risk and compliance) and either find
perscriptive work arounds or select technologies that were created post
regulations (after 2004) so that compliance and how it evolved with NIST
will have a greater chance to being baked in as part of the architecture and
not an afterthought until it is an issue.

It is not visibility as is stated - else the large outsourcers that have
made a successful business off of healthcare verticals - would not still be
in business.  More importantly most small doctor's office etc are less than
100 employees - they could not afford a big datacenter etc for compliance
and need to look at alternative means like the cloud.  

The key here is to join groups like W3C that are defining Common Information
Model or others that influence ...

read more »

Here is an interesting article about the subject..

http://www.computerworld.com/action/article.do?command=viewArticleBasic
<http://www.computerworld.com/action/article.do?command=viewArticleBas...
onomyName=Default&articleId=9126934&taxonomyId=0&pageNumber=1>
&taxonomyName=Default&articleId=9126934&taxonomyId=0&pageNumber=1

Cloud computing and compliance: Be careful up there

Excerpts..

"What it all comes down to, ultimately, is that the user organization is
responsible for figuring out who is doing what to its data and requiring
assurances about the data staying in compliance."

"In certain cases, compliance will be impossible," predicted Jim Haskin,
senior vice president at
<http://www.computerworld.com/action/inform.do?command=search&searchTe...
bsense+Inc.> Websense Inc.,"

"As enterprises start to run their entire networks on the cloud, existing
certifications [such as Gramm-Leach-Bliley, etc.] start to break down,"
added Jonathan Bryce, co-founder of Mosso"

"The certifications assume that the enterprise controls everything, and it's
all located within their office building."

"We can certify that the memory is cleared out," said Bryce at Mosso. "But
the specification also says that the place where the data is stored can only
be accessed by you, and servers that you control are locked down." But in
the cloud environment, servers may be shared by multiple clients, and even
if they are not, there remains the question of whether the client or the
cloud vendor controls them, he noted. "It's a gray area," Bryce said.

"Whatever regulatory environment is targeted, cloud-based compliance is
nearly always a nontrivial task."

"But some forms of compliance may remain elusive in the cloud. "It does not
work where you have artificial restraints imposed by legislation," said
Alistair Croll, analyst at Bitcurrent, a research firm in Montreal."

  _____  

From: Rao Dronamraju [mailto:rao.dronamr...@sbcglobal.net]
Sent: Saturday, May 02, 2009 3:42 PM
To: 'cloud-computing@googlegroups.com'
Cc: 'scott.alldri...@ipservices.com'
Subject: RE: [ Cloud Computing ] Re: Clouds and Compliance

Jeanne,

Thanks for the excellent detailed information and also the attachment. I am
only talking about SOX not about all other regulations.

I have read it before and the only things that are most applicable from the
whole 66 page documents are sections 302 and 404.

SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.

(a) REGULATIONS REQUIRED.-The Commission shall, by rule,

require, for each company filing periodic reports under section 13(a)

or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,

78o(d)), that the principal executive officer or officers and the principal

financial officer or officers, or persons performing similar

functions, certify in each annual or quarterly report filed or submitted

under either such section of such Act that-

(1) the signing officer has reviewed the report;

(2) based on the officer's knowledge, the report does not

contain any untrue statement of a material fact or omit to

state a material fact necessary in order to make the statements

made, in light of the circumstances under which such statements

were made, not misleading;

(3) based on such officer's knowledge, the financial statements,

and other financial information included in the report,

fairly present in all material respects the financial condition

and results of operations of the issuer as of, and for, the

periods presented in the report;

(4) the signing officers-

(A) are responsible for establishing and maintaining

internal controls;

In case of clouds, the CXOs do not establish and maintain internal controls.

The CSPs do it on behalf of the CXOs.

(B) have designed such internal controls to ensure

that material information relating to the issuer and its

consolidated subsidiaries is made known to such officers

by others within those entities, particularly during the

period in which the periodic reports are being prepared;

they do not have any control on the design of such internal controls in the
CSP environment.

(C) have evaluated the effectiveness of the issuer's

internal controls as of a date within 90 days prior to

the report; and

I suppose this can be done through auditors

(D) have presented in the report their conclusions

about the effectiveness of their internal controls based on

their evaluation as of that date;

(5) the signing officers have disclosed to the issuer's auditors

and the audit committee of the board of directors (or

persons fulfilling the equivalent function)-

(A) all significant deficiencies in the design or operation

of internal controls which could adversely affect the issuer's

ability to record, process, summarize, and report financial

data and have identified for the issuer's auditors any material

weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves

management or other employees who have a significant

role in the issuer's internal controls; and

(6) the signing officers have indicated in the report whether

or not there were significant changes in internal controls or

in other factors that could significantly affect internal controls

subsequent to the date of their evaluation, including any corrective

actions with regard to significant deficiencies and material

weaknesses.

So to me it seems, the way the law is written, it was never meant to take
into consideration outsourcing of compliance and hence the distribution of
responsibilities, accountabilities and liabilities.

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

(a) RULES REQUIRED.-The Commission shall prescribe rules

requiring each annual report required by section 13(a) or 15(d)

of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d))

to contain an internal control report, which shall-

(1) state the responsibility of management for establishing

and maintaining an adequate internal control structure and

procedures for financial reporting; and

So whose responsibility will this be in clouds?....CSP?...or CXO?....

(2) contain an assessment, as of the end of the most recent

fiscal year of the issuer, of the effectiveness of the internal

control structure and procedures of the issuer for financial

reporting.

This can be probably done through auditors again.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.-With

respect to the internal control assessment required by subsection

(a), each registered public accounting firm that prepares or issues

the audit report for the issuer shall attest to, and report on, the

assessment made by the management of the issuer. An attestation

made under this subsection shall be made in accordance with standards

for attestation engagements issued or adopted by the Board.

Any such attestation shall not be the subject of a separate engagement.

Whose assessment would this be?....CSP?....

  _____  

From: cloud-computing@googlegroups.com
[mailto:cloud-computing@googlegroups.com] On Behalf Of Jeanne Morain
Sent: Saturday, May 02, 2009 1:15 PM
To: cloud-computing@googlegroups.com
Cc: scott.alldri...@ipservices.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

From the thread - there is a lot of time and thought on specific projects
that were going through that the "auditors" may not have informed those on
the thread of all the pieces and some of the industry wide misperceptions
from vendors that did not bother to take the time to educate themselves on
the acts, NIST, etc have propagated.  As a result- there are some
misperceptions on compliance, how it can be hosted in the cloud, and the
consequences.

The types of compliance and their requirements vary.  The thread below is
mixing HIPAA, SOX, etc.  That is only applicable for public companies that
deal with patient information (Insurance, Hospitals, Device Manufacturers).
Different industries are impacted by different types of regulations
(Financial services for example has Office of Thrift Supervision, SOX,
Graham Leach Bliley, Basel I & II, PCI, etc)  Healthcare also is overseen by
the FDA because hospitals manufacture blood for example.

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had
solutions around various verticals that are highly regulated after the
legislation passed(Government, Financial Services, and Healthcare - HIPAA
and SOX).  SAS70 is the audit control for those smaller SMBs/SMEs that most
hosted solution providers provide to audit and to the companies they serve
to prove that data is encrypted, isolated and safe.  This is a practice that
has matured over the years and there are many good documented "How to
Guides"  - www.itpi.org - for Visible Ops series.  I am copying one of the
co-authors and a formidable expert in this area - in case he would like to
comment.

Yes CXOs need visibility into their organization to comply with SOX - that
is ONLY for public companies.  For example, large private healthcares - do
not have to worry about SOX.  HIPAA is different as is PCI because they
affect anyone in contact with personal information (health, financial).
HIPAA and other Personal Health Information Acts in Europe, Japan (which are
more stringent) addresses access to patient information (health, billing,
etc).  Depending on the PHI Act (such as Europe) some require that it be
hosted in the country of origin, others are less stringent requiring that
they be encrypted, access controlled, etc.  The outsourcer will need to
provide SAS70 findings from an independant audit body of which the ...

read more »

Clarification below -

DMTF (Data Management Task Force - has defined the standards for CIM (common information model) as well as SMASH and DASH.  I just wanted to make sure my point below was not confusing.

There are several offshoots of W3C or other open standards groups in the industry that help define what these standards are, take review input, and welcome feedback.

Another void area is educating the auditors on the technology - there is a lot of confusion in terms of virtualization, cloud etc and how they need to adjust their investigation checklist and procedures.

________________________________
From: Jeanne Morain <jmor...@yahoo.com>
To: cloud-computing@googlegroups.com
Cc: scott.alldri...@ipservices.com
Sent: Saturday, May 2, 2009 11:14:40 AM
Subject: [ Cloud Computing ] Re: Clouds and Compliance

From the thread - there is a lot of time and thought on specific projects that were going through that the "auditors" may not have informed those on the thread of all the pieces and some of the industry wide misperceptions from vendors that did not bother to take the time to educate themselves on the acts, NIST, etc have propagated.  As a result- there are some misperceptions on compliance, how it can be hosted in the cloud, and the consequences.

The types of compliance and their requirements vary.  The thread below is mixing HIPAA, SOX, etc.  That is only applicable for public companies that deal with patient information (Insurance, Hospitals, Device Manufacturers).  Different industries are impacted by different types of regulations (Financial services for example has Office of Thrift Supervision, SOX, Graham Leach Bliley, Basel I & II, PCI, etc)  Healthcare also is overseen by the FDA because hospitals manufacture blood for example. 

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had solutions around various verticals that are highly regulated after the legislation passed(Government, Financial Services, and Healthcare - HIPAA and SOX).  SAS70 is the audit control for those smaller SMBs/SMEs that most hosted solution providers provide to audit and to the companies they serve to prove that data is encrypted, isolated and safe.  This is a practice that has matured over the years and there are many good documented "How to Guides"  - www.itpi.org - for Visible Ops series.  I am copying one of the co-authors and a formidable expert in this area - in case he would like to comment.

Yes CXOs need visibility into their organization to comply with SOX - that is ONLY for public companies.  For example, large private healthcares - do not have to worry about SOX.  HIPAA is different as is PCI because they affect anyone in contact with personal information (health, financial).  HIPAA and other Personal Health Information Acts in Europe, Japan (which are more stringent) addresses access to patient information (health, billing, etc).  Depending on the PHI Act (such as Europe) some require that it be hosted in the country of origin, others are less stringent requiring that they be encrypted, access controlled, etc.  The outsourcer will need to provide SAS70 findings from an independant audit body of which the CXO needs to review.  The CXO will not go to jail but will more than likely move to a different MSP if the government finds material discrepancies.  They have time to clean them up particularly if it is something that
 resulted based on process or technology issue versus blatant fraud as what happened in the Enron case that brought about SOX.

One suggestion would be to actually read the regulations you are speaking about - see attachment for SOX.  It is not the regulations that require reform (many of them were generically written - not to a specific technology per se) but the prescriptive guideline controls such as COBIT (used by auditors to test the technical system) and frameworks like ITIL and ISO that do need to be adjusted.  That is not up to the politicians but the government commissions from NIST in the US - similar agencies in other countries to define and enhance.  New standards are forming and being added to ITIL (look at V3 that changed from V2 to add a DML - definitive media library over a DSL - definitive software library and more around federation) - why?  Because the technology evolved and changed. 

The biggest GAP here for the cloud is how newer technologies - like virtualization - impact those controls making it difficult to enforce some and others obsolete.  It is important to understand the risks of these new technologies for GRC (governance, risk and compliance) and either find perscriptive work arounds or select technologies that were created post regulations (after 2004) so that compliance and how it evolved with NIST will have a greater chance to being baked in as part of the architecture and not an afterthought until it is an issue.

It is not visibility as is stated - else the large outsourcers that have made a successful business off of healthcare verticals - would not still be in business.  More importantly most small doctor's office etc are less than 100 employees - they could not afford a big datacenter etc for compliance and need to look at alternative means like the cloud. 

The key here is to join groups like W3C that are defining Common Information Model or others that influence NIST direction, ITIL or COBIT reform (the majority uses ITIL framework or ISO).

Have a great weekend.

Cheers,
Jeanne
www.installfree.com

________________________________
From: Rao Dronamraju <rao.dronamr...@sbcglobal.net>
To: cloud-computing@googlegroups.com
Sent: Saturday, May 2, 2009 9:05:16 AM
Subject: [ Cloud Computing ] Re: Clouds and Compliance

“The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing.  Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.”
No, the problem in cloud scenario is, CONTROL and VISIBILITY….on his/her own premise, he has a LOT of CONTROL and VISIBILITY. He/She is directly responsible for the CONSEQUENCES of anything going wrong in terms of compliance. In cloud scenario, that responsibility has PARTIALLY shifted to the CSP. The CXO is still responsible for the content and authenticity of the financial information.
 
I am not sure why lawyers would be interested in fixing this?....The stake holders here are the companies, CSPs and the government….they are the ones who are most benefited by clouds.
Ofcourse, the lawyers employed by them will work out the legal issues.
 
Would the govt. by itself look into this?....don’t know….
 
Your example of toy manufacturing and compliance is a good example to convince the CXOs that outsourcing compliance is in practice and working.
 
“NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.”
 
Government can wait….they don’t run on making profits….for businesses TIME IS PROFITS….they cannot wait….they have to take the initiative and leadership and make things happen.
 

________________________________

From:cloud-computing@googlegroups.com [mailto: cloud-computing@googlegroups.com ] On Behalf Of satish rege
Sent: Saturday, May 02, 2009 10:15 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance
 
I feel that the lawyers will NEVER do it is too strong. It aint going to happen is stonger. I belive they didn't know that the problem exists. It may take time for them to recognize the problem and then come up with regulations to solve it. Law has always been behind the technology development. So how long it will take then i the question?

Note exchanging health records electronically and compliance with HIPPA is a big problem. The present government is making progress to overcome that by trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.

"
Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.
 
But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months…."
The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing.  Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.
Let us take a simple problem. Toys sold in US have to be compliant with certain safety standards. Mattel outsources the manufacturing to China and takes the responsibility of compliance with US laws. (They did have problem with a particular toy recently and the product was recalled.) Also, I do understand, the requirements on toys safety are not as complex as the problem we are discussing.

So the question is can we build software systems that are compliant with complex law and guarantee their behavior? We all have our own opinions and experiences with regards to software verification technology. It also has a long way to go.

-satish

On Fri, May 1, 2009 at 11:52 PM, Rao Dronamraju ...

read more »

That is an interesting article. Here's hopefully a more easily-usable
URL:
http://www.computerworld.com/action/article.do?command=viewArticleBas...

We should note, though, that the article contains a good amount of
positive positioning, not just negatives. Like:

*****
But some observers make the point that the cloud doesn't necessarily
complicate compliance issues. "The concept of auditing is to track
everything that goes on, whether it's across the cloud or across
multiple data centers of the same firm -- tracking is no different no
matter where the various components are," said Mike Karp, senior
analyst at Enterprise Management Associates Inc., an enterprise IT
consultancy based in Boulder, Colo.

In fact, various sources agreed that regulatory compliance is often
possible with cloud computing, although it takes special effort.

***

And that last statement is, I would say, the point. It can be done.
You just have to be careful, as usual, and there are some additional
things you need to be careful about.

Greg Pfister
http://perilsofparallel.blogspot.com/

On May 2, 6:09 pm, "Rao Dronamraju" <rao.dronamr...@sbcglobal.net>
wrote:

...

read more »