Cloud

Storage in the cloud: Compliance primer

Today, a very important step has occurred for one storage provider whom has demonstrated a running trend of standards-based practices. Cloud storage provider Nirvanix obtained SAS 70 Type II certification for their practices in providing secured, reliable cloud storage.

The TechRepublic community has made it clear; compliance of where your data resides in the cloud is a top concern. In this blog post, IT Jedi Rick Vanover takes a look at what one company has done with standards-based status.

—————————————————————————————–

In a previous post, I mentioned that storage in the cloud is a different beast from a technology perspective. The main difference is that most cloud storage providers utilize an API for access to the cloud storage resource for customer access. Further, I have discussed how cloud storage availability is another important planning point.

Today a very important step has occurred for storage provider Nirvanix, which has demonstrated a running trend of standards-based practices. Cloud storage provider Nirvanix obtained SAS 70 Type II certification for their practices in providing secured, reliable cloud storage. SAS 70 Type II certification shows that demonstrated processes of controls are in place for a running period of time. The SAS 70 standard is defined by the American Institute of Certified Public Accountants and is described here. Nirvanix focuses exclusively on cloud storage and targets enterprise customers with robust solutions to match their requirements.

Obtaining a standards-based certification for business practices is to be applauded by cloud providers. Nirvanix isn’t the only cloud provider in this category, however. Other cloud providers are working on this diligently as we speak. Ideally, all cloud providers would have this and other standards-based qualifications. As a technology community, we tend to gravitate heavily on news of outages and interruptions of service by the "new technologies" associated with buzzwords.

There are big names in the cloud, so naysayers be warned! In the coming weeks in this blog, I will be lining up case studies of companies that are in the cloud. Does this news do anything for you? I think it is a big step forward in credibility to the cloud. Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

14 comments
Deadly Ernest
Deadly Ernest

Please let me know when they meet Dept of Defence security qualifications for classified material. Most privacy legislation is of the same standard as DoD Classified or Secret level and requires the same standard of handling and security. This is critical for all personal information on employees and clients, and will be the biggest legislative hurdle to jump. The next biggest hurdles will be secondary legislative needs, followed by Internet up time, and cost of the hugely increased Internet access required to operate across the cloud. Edit to add - I see no point to go to full cloud computing unless you can move everything out and not have any internal servers. If you have a need to keep some servers in-house, then economies of scale kick in and you may as well simplify your management by keeping them all in-house. Off site storage for back ups managed through a VPN are not, in my view, a cloud computing function but a storage function and totally different.

Jaqui
Jaqui

A method for getting DoD compliance: 1) triple data centers, in geographically diverse locations, but all within the country. 2) the connection API is in a library, and is only available to clients. [ who must have DoD clearance ] 3) all data transfer and access is via encrypted tunnels, and the data itself is encrypted before being transmitted. [ 2 layers of encryption ] 4) the storage space is locked down so that anything on it cannot be found online at all without the correct authorization / authentication. 5) the service can only be found by you giving the url out in person or by snail mail, it is not generally available to the public. edit to add: I think those 5 should be a pretty good foundation to meet DoD specifications.

Deadly Ernest
Deadly Ernest

every person whose work may bring them into contact, either physically or electronically, with the data in storage or transit will require a DoD security clearance before they commence work.

Jaqui
Jaqui

I miss phrased my point 2, where I put the DoD clearance for clients only then. :D not bad for off the top of my head, and no experience dealing with a DoD at all? :D

b4real
b4real

I know that one cloud storage provider can meet all of that I believe except 2x encryption. But, I'm not saying put the DoD data in the cloud.

Deadly Ernest
Deadly Ernest

do require protection equivalent to DoD Secret level handling and impose similar type restrictions and needs. I know one company that doesn't employ a single person below the CEO - they're all supplied by another company under contract. This way the company has no privacy information that has to be handled, and no salary information to deal with, nor a human resources unit. The entire employment side of things are outsourced to the other company and the CEO is contracted to the corporation's international head office. Sure they pay a bit more, but it gives them more flexibility in staff and less hassles meeting a diverse bunch of laws across several states and two countries in Australia and New Zealand.

b4real
b4real

My man... Glad to see you here. Do you put HP, Dell or IBM to the requirements you specify if you were going to buy a disk and use it yourself?

Deadly Ernest
Deadly Ernest

specify which brands I will and won't accept, based on past performance of length of service and performance. But I came along because you gave me a link to come along and discuss. Sheesh, how else would I have found it. I used to be the person responsible for legal compliance, auditing, and security on a major military base, is it any wonder I still worry about such issues.

Deadly Ernest
Deadly Ernest

and back at any time? Not like the recent Google issue where they routed all requests over to China due to a server issue. And I'm sure all the Canadian companies won't mind the US NSA studying the data as it flicks back and forth over the US / Canadian border while moving through the cloud. Heck I'm in Australia and at one time I ran a program that should the leg of each data transfer as it happened, a cute little app it was with a world map and the green lines popping up on it as the info is received. I regularly watched data transfers from Melbourne pop over to Auckland, back to Brisbane, and to where I was in Roma, rural Queensland at that time. Sometimes the data went Melbourne - Auckland - Tokyo - Singapore -Darwin - Roma It was interesting to see how far it went to get to me. In such a case any of those countries' governments could intercept the transmission.

b4real
b4real

All quality cloud storage providers allow you to know if your data is in the US or not. Europe and Asia I can't yet speak for.

theguru1995
theguru1995

at information that is not for their eyes... not to mention corporate spying... why do we keep on insisting on the cloud for this...geesh...payola? just kidding....

b4real
b4real

One strategy being used in the short term is to implement app-level compute encryption so that cloud resources (on storage) are transported in and out of an application encryption space.

Deadly Ernest
Deadly Ernest

as they have a far wider affect. The military won't outsource actual military data and stuff simply because of their security and redundancy needs. but they do also have to meet the civilian legislation re privacy, and that is the area where I see the biggest problems - meeting the privacy laws on data security of personal details.

b4real
b4real

You would actually be surprised what is in a cloud now.

Editor's Picks