Global Conflicts Magnified in the CloudLack of International and Regional Harmony Raises Challenges
That lack of harmonization is a real barrier for big organizations adopting cloud-based services, says MacWillson, who works for Accenture Technology Consulting. The United States, for example, has started the process of trying to nationalize regulations and laws around cloud service provisions, but national governments in Germany and the United Kingdom aren't quick to align security requirements European Union standards. "These countries are saying, 'Hang on a moment. We don't care what is in place from a European perspective. We want the data protection laws or the reporting laws to apply in our cases,'" MacWillson says.
The cloud has the potential to offer services around identity and access management. "But, unfortunately, the movement of user information across national borders, even in Europe, where there's some level of harmonization, is a real challenge," MacWillson says during an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
With any new technology, there are challenges. But they can be overcome. "Much like any innovation, it takes a lot of people to talk about the opportunities and also the risks, and it takes a little bit longer for the technology guys to catch up," he says.
During this second part of a two-part interview, MacWillson discusses:
- Interstate and international regulatory challenges organizations and cloud providers must face;
- Infrastructural cloud advantages that could ease the burden of cross-border security-risk management;
- Understanding the balance between risk and advantage, now and into the future.
Be sure to check Part 1: Cloud Computing: Compliance Challenges, when MacWillson addresses the evolution of cloud computing, dealing with multiple cloud providers and steps organizations must take to ensure ongoing compliance with regulatory mandates.
MacWillson, who leads Accenture Technology Consulting's security business, works with business and government leaders around the world on issues such as security, trust, privacy and compliance. He also serves on the leadership team of Accenture's global Technology and Delivery service line, where his primary areas of expertise include global security, information security, business and operational risk, technology transformation and technology vision. Before joining Accenture, MacWillson spent 16 years with the U.K. Foreign Service, specializing in political and technical risk analysis in the former Soviet Union, the Middle East and the United States. He has been an adviser to the cooperative Society of Worldwide Interbank Funds Transfer on message security, the U.K, U.S. and Australian governments on critical infrastructure protection, and the European Commission on protecting citizen privacy.
Comparing Regional Cloud Services
TRACY KITTEN: Do you see regional differences in security levels that are provided by cloud vendors? For instance, how would you compare cloud services in the U.S. with cloud services in Europe?
ALASTAIR MACWILLSON: Actually, for many organizations this is one of the biggest challenges to face. When you take any multi-national that operates globally, if they've got a global cloud-based service provider, chances are they won't meet the regional differences around consistent security and data due to the absence of consistent security and data privacy laws and regulations. So even though there's an attempt at regionalizing or nationalizing the regulations and laws around cloud service provisions say in the US, quite often state laws for example will take a higher profile than any national attempts to harmonize. The same is true and probably more exact about it in Europe.
For example, where even the European Commission has been trying to harmonize regulations and the requirements but national governments like the German government, for example, the U.K. government and others in Europe are still saying, "Hang on a moment. We don't care what is in place from a European perspective. We want the data protection laws or the reporting laws to apply in these cases." What I'm saying is that lack of harmonization is a real barrier to particularly big organizations adopting cloud-based services to do global things or to handle data on a global basis.
One good example of that is around identity and access management, where a lot of organizations would love to see identity and access management, their security function if you like, being provided for as a cloud-based service. But unfortunately, the movement of user information across national borders, even in Europe where there's some level of harmonization, is a real challenge. I guess even when the regulations are not directly at odds with what the cloud is trying to do, the ambiguity and the thicket of potentially conflicting laws really casts a cloud over where its an issue that companies want to try to adopt and deploy their data in the cloud, which is something that really has to be addressed either nationally or at an international level.
KITTEN: Before we close, I did want to ask for some final thoughts about cloud security generally.
MACWILLSON: I think actually that I may have painted, possibly, an overly gloomy picture. I would stress that there are real benefits to cloud. We're certainly seeing them, the high agility, the scalability, on-demand computing power and there's an incredible ecosystem of providers that's being built. It's something that people should really pay attention to. I believe that quite clearly while companies need to understand the risks associated with putting certain data onto public clouds, I actually think that technology solutions will rapidly catch up and address many of these concerns. I don't want to lose sight of the fact that cloud represents a chance for organizations to really rethink their approach to not only how to get business services and data out of cloud, but also their overall approach to information security, because that's also coming as a cloud-based service.
In answering your question about which organizations are ideally placed to help push this through, I think a lot of it is the buyers. Buyers, much like the early days of the outsourcing arena, are starting to dictate terms and their buying power is starting to help cloud-based providers really think through how they can meet the growing requirements for security and control in their services. It's accelerating the maturity of these service providers significantly. I also think that there are so many people interested in this and with all different agendas in terms of the stakeholders, the vendors, service providers and so on, the technology band.
Those organizations or stakeholders are getting together to define new levels of security control which will come out in the near future in terms of open standards or the standards-based thinking that's merging around this. Much like any innovation, it takes a lot of people to talk about the opportunities and also the risks, and it takes a little bit longer for the technology guys to catch up, but that's certainly what we're seeing happen.