Regulated industries like health care and financial services frequently deal with large quantities of highly sensitive personal data. Cloud providers, meanwhile, routinely move data between their various centers for balancing load, maintaining redundancy or perhaps simply “following the sun” in search of cheaper electricity. It can therefore be difficult to know which data center holds which data at any point in time — hardly the ideal scenario when dealing with information as sensitive as medical history or financial transactions.
In industries like health care and banking, concern over misuse of sensitive data has partly led to the rise of comprehensive regulatory regimes. These are typically administered by government agencies such as the United States’ Securities & Exchange Commission (SEC) and the United Kingdom’s Financial Services Authority (FSA). Regulatory remits are often broad, and the language of legislation can be slow to catch up with technological and social shifts. This makes it challenging for both regulation and industry to embrace new approaches to data storage, particularly when it is not clear whether such new approaches violate either the letter, or the spirit, of existing laws.
Adoption of cloud computing, therefore, has not always been rapid in regulated industries. But the reality is that individuals at the regulatory level typically view cloud computing as simply another form of IT, and rule books do not explicitly prevent use of the cloud. In fact, they rarely mention it. For cloud providers, that means regulated industries offer real opportunities for growth and differentiation. For those prepared to invest in understanding and meeting the requirements of a heavily regulated environment, there are further opportunities to offer premium services for more sensitive data.
The Rules are “Simply Outdated”
When it comes to the cloud, many businesses in industries — regulated and not — struggle to find a neat framework for understanding the relationship between cloud provider and client. In the traditional language of business, cloud companies are often considered “outsourcing” providers. Existing regulations that dictate how regulated industries interact with their outsourcing providers, therefore, impact the ability to engage with cloud computing providers.
Speaking at the Powered By Cloud conference earlier this year, Robert Johnson, head of front office technology for investment bank Mitsubishi UFJ Securities International, pointed to the outsourcing regulations of the Financial Services Authority. In its current Handbook, the Financial Services Authority states that banks “must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing,” and “have effective access to data related to the outsourced activities, as well as to the business premises of the service provider.” (Rule 8.1.8)
The rule was written to cover situations where a bank wants to save money or increase agility by outsourcing services (IT or otherwise) to another company, and was intended to ensure that expertise and access to infrastructure were not lost during any outsourcing arrangement.
But Tony Lucas, founder of Scottish cloud computing provider Flexiant, says many existing rules in the financial sector and elsewhere are “simply outdated.” He points to the data security standards developed for the payment card industry (PCI), where the use of multiple — and expensive — physical components are required in order to deliver secure networks inside a data center. The PCI is just one example among many.
Despite the increasing sophistication of virtualized networking solutions, the rules date back to a time when security required numerous separate cables running between separate physical servers; each add to the cost and complexity of equipping and maintaining a data center. For mainstream cloud providers dependent upon commodity equipment and economies of scale for revenue, the additional costs to comply with these rules may simply be too high for their low-margin business models.
Solutions for Data-Sensitive Industries
But regulated industries can certainly make use of existing cloud solutions; many CIOs are already quietly moving tasks to the cloud to better understand the opportunities in that space.
Cloud providers, too, have a role to play: They must gain a better understanding of specific regulatory pressures affecting potential customers (for example, rules around personal health records). They must also build and describe their products in ways that those industries will recognize. Where solutions address specific compliance issues these should be made explicit, as should any relevant accreditations.
CloudAudit (discussed in a recent podcast with George Reese, CTO of Minneapolis cloud management firm enStratus) is one industry solution for data-sensitive industries. The process, still in development, helps cloud computing providers self-certify their data centers by providing consistent descriptions of the capabilities, accreditations and features of their centers. The hope is that prospective customers will more easily be able to compare the offerings of different providers.
Taken to its logical conclusion, CloudAudit could even permit trusted third parties to conduct audits on behalf of whole industries, bringing a degree of additional authority and rigor over and above the assertions made by the cloud providers themselves. Even the largest and most secretive of cloud providers — unwilling to allow everyone inside their data centers for auditing purposes — might accept a single inspection on behalf of the FSA or SEC. Widespread adoption, however, will still require the regulators to change their guidance in order to formally accept such an audit over the individual physical inspections currently required.
In health care, the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the handling of personally identifiable health data. A 2009 white paper (pdf) from Amazon — one cloud provider that claims its services meet HIPAA’s stringent requirements for storage and processing of data — addresses common concerns of potential customers. Case studies with healthcare service providers like MedCommons, meanwhile, provide real-world examples of success in storing data with Amazon.
In both health care and financial services, the responsibility for ensuring compliance with all relevant legislation continues to rest with the customer (i.e., the hospital or bank). Regardless of what the cloud provider claims, it is the customer’s job to ensure data and processes meet regulatory requirements. As Reese noted, cloud providers should certainly do a better job of understanding any legislation that governs the markets they wish to enter, and should provide more information about relevant accreditations or procedures. None of this, however, lets the customer off the hook when it comes to ensuring their data is always treated according to the rules.
Options for Cloud-Bound Customers
No one is seriously suggesting a bank or hospital migrate all of its IT to a public cloud, but Lucas argues that taking the time to segment existing data and workflows lets customers make effective use of complementary solutions. He identifies four broad categories where cloud technologies could help regulated industries better find a solution for storing their sensitive data. Each offers a different combination of risk and opportunity:
- Commodity public cloud: This is typically the cheapest cloud resource, suitable for non-sensitive data. Service level agreements (SLAs) are weak or non-existent and offer little security. The most basic cloud offerings from the likes of Amazon and Rackspace fill this niche.
- External private cloud: Hosted in an external data center but with additional physical and virtual security measures, the external private cloud will typically offer stronger SLAs and contractual protections at a higher cost. It is suitable for some sensitive data and workflows.
- External niche cloud: This is a more expensive option. The external niche cloud is probably audited, and suitable for most sensitive data. It is intended to meet the particular requirements of an industry like financial services, health care or government. The external niche cloud can be optimized to comply with specific regulations, reduce latency, increase redundancy or other legal, technical or business requirements.
- Internal cloud: If suitably secured and managed, this is ideal for keeping the most sensitive or valuable data in-house. It involves the adoption of cloud computing methods such as virtualization and elasticity within the existing enterprise data center. These internal clouds are normally only effective at delivering cost and efficiency savings when deployed at significant scale.
In theory, it is not cost-effective to offer a complex menu of potential options within generic cloud products, but customers with particular requirements will pay a premium to get what they need. This creates an ongoing opportunity for niche (or, in NIST’s terminology, “community”) clouds that are similar to recent announcements from IBM, where specialized clouds are proposed to meet the specific needs of different industry verticals. The first of these addresses the health care market; future versions might address further verticals or target specific geographic regions.
Prospective cloud customers need to understand their data and what they wish to achieve with it. Rather than treating all of it the same, effective use of different cloud solutions will require initial effort to segment data according to criteria like sensitivity and speed of change. Detailed and personally identifiable patient records are far less suitable for processing on a public cloud than a set of anonymised statistics. By identifying and experimenting with discrete sets of “safe” data, even customers in the most heavily regulated industries can begin to explore the costs and benefits of bringing cloud computing into their regular workflow.
Related Research: Defining Internal Clouds: From Appistry to VMware