Don’t cloud your compliance data

Even the best security and data integrity processes may not be enough. Make sure your company's legal advisors are involved.

By Dennis Brandl January 1, 2010

CIOs are under continuous pressure to reduce capital assets, headcounts, and support costs, and cloud systems give them a way to meet those goals. Cloud systems are collections of IT resources (servers, databases, and applications) which are available on an on-demand basis, provided by a service company, available through the internet, and provide resource pooling among multiple users. CIOs are looking for any and all opportunities to move internal company systems to external cloud systems because cloud systems reduce capital assets, IT maintenance costs, and direct labor costs. Companies are using cloud systems for email, payroll, invoicing, ordering, and database management. There are over 50 cloud service providers, including such powerhouses as Amazon, Google, Microsoft, and IBM.

Cloud computing’s silver lining is the direct cost savings. However, there is a dark center in the cloud when it is applied to manufacturing operations. In manufacturing companies the operations and automation systems can be a major part of the IT budget, so CIOs will be looking to apply cloud computing to manufacturing and automation systems. While mission critical applications with real-time response are not suitable applications of cloud systems, manufacturing databases may be a candidate for moving to the cloud.

Manufacturing databases can be huge, with hundreds of terabytes of data that must be safely maintained for years. This may seem like a good candidate for a cloud computing system, but the dark cloud behind the silver lining of cloud computing is that most external cloud computing services do not meet compliance rules. Manufacturing and automation operate under a large number of regulations and regulatory authorities, including OSHA, USDA, FDA, and EPA. All of the regulations have requirements of data integrity, security, backup, and non repudiation of data. This is difficult to achieve in cloud computing systems because you may not know where your data is actually located, what path it takes to get there, who really has access to the data, and how physically secure it is.

If your company is investigating a cloud computing solution that will include manufacturing data, then manufacturing IT must be part of the evaluation team. The manufacturing IT team must include personnel familiar with the manufacturing compliance regulations that affect you industry.

The assessment strategy should include checks for data segregation (which separates your data from other companies’ data), a review of the provider’s data leak prevention (DLP) process used to prevent insider attacks, the cryptography method used for transferring data across the Internet and storing it on disks, and the identity management process. Two additional important criteria to evaluate are the accessibility of the system for physical audits, which may be required by compliance authorities, and the availability of appropriate documentation that will be needed during an audit.

Consider using the SAS 70 (the Statement on Auditing Standards No. 70) standards ( www.sas70.com ) in your evaluation. These define the standards an auditor would employ in order to assess the contracted internal controls of a service organization. Most cloud providers will have SAS 70 documentation. This does not tell you if they are secure but does show what security controls are in place. The Cloud Security Alliance ( www.cloudsecurityalliance.org ) also defines a set of best practices for providing security assurance in cloud computing systems.

Even the best security and data integrity processes and procedures may not be enough for your compliance data. Make sure that your company’s legal advisors are involved in any “clouding” of compliance data to ensure that the risks of a compliance problem are balanced against the cost savings of moving the data into the cloud.

 

Author Information
Dennis Brandl is president of BR&L Consulting in Cary, NC, www.brlconsulting.com . His firm focuses on manufacturing IT. Contact Dennis at dbrandl@brlconsulting.com .