Enterprises are increasingly interested in cloud computing as a potential solution to capacity challenges. The idea is that if you have a virtualized data centre, the cloud could potentially be an “overflow” data centre where you expand capacity during periods of high demand. If the cloud can extend your data centre, then you don’t need to build another one or increase the capacity of the one you have just to handle intermitted spikes in computing demand.
It’s a great idea, at least in theory. A few of the companies that Nemertes advises are already looking into cloud computing and trying to decide how to approach it. Cloud offers the possibility of capacity on demand, effectively a dial that you can tweak to increase or decrease computing capacity, while paying only for what you use. Not only can this save money on infrastructure, but much more importantly provides tremendous flexibility for launching new applications or even business lines with minimal capital investment. If they come, you will build (rent) it.
Many of the key challenges on cloud computing arise at the border between your infrastructure and the cloud. How do you move resources from one side to the other? Is the cloud application dependant on storage that resides on your side of the border? What impact will that have on the bandwidth requirements? And how do you seamlessly move virtual machines between the cloud and your data centre as demand grows and shrinks? These are all valid and interesting questions. But an even larger question looming like a dark cloud on the horizon is that of jurisdiction and legal status. Is stuff in the cloud on the same legal footing as stuff in your data centre?
Turns out that currently, stuff in the cloud is not on the same legal footing as stuff in your data centre. Unfortunately, the legal precedents being set are potentially devastating for enterprise adoption of cloud computing. The executive branch is repeatedly taking the position that data stored in the cloud does not have the same assumptions of privacy and due process as does data stored in your own infrastructure. The very fact that you put the data “out there” somehow strips any “expectation of privacy” which is a key criterion for the level of due process protection (based on my limited understanding of law). A recent decision by the Sixth Circuit Court of Appeals (Warshak v US) seemed to agree to this idea of a lower “expectation of privacy.”
For now, these rulings have been made against individuals, not corporations and in regard to e-mail, not files or databases. But the precedents are being set in a way that makes cloud computing a difficult proposition, both for security professionals and compliance auditors. In corporate terms, privacy is often a regulatory compliance imperative. When looking at cloud computing you need to consider whether you still have a “reasonable expectation of compliance”.