Comments on: Retiring application data to the cloud

IT departments struggling to keep legacy data alive should consider a new cloud-based storage offering from RainStor.

[Remo_Williams]

yep, it would seem like a no-brainer... for people with no brains. what about regulatory oversight of archived data to satisfy FDA/ NRC/ FAA auditors? "Oh, we store it in the cloud". "Really... okay, here's your 483. Good luck with the consent decree hearings..."

[mbenedict]

@Remo_Williams:

I can't comment on the Clearpace / RainStore offering specifically, but your remarks seem completely off base.

First, not all businesses are subject to stringent regulatory or industry compliance requirements.

Second, even for business which are, there is NO underlying reason why moving solutions "to the cloud" could not satisfy compliance requirements.

In fact, today many business subject to regulatory oversight have ALREADY moved applications & data to the cloud. For example, some businesses have built HIPAA-compliant solutions using cloud services such as Amazon Web Services and Microsoft HealthVault.

From an IS auditor's perspective -- which I am one by the way -- we would audit a system built-on or connected-to the cloud like any other system. We'd thoroughly look at all the system risks (including inherent risks of the cloud) and look at whether the system's internal controls effectively mitigate those risks.

Many cloud providers are currently undergoing service organization audits (i.e., SAS70) to provide clients (and their auditors) insight into the provider's internal control environment. Some cloud providers are also taking steps to enable their clients' compliance with industry standards, most notably PCI DSS. Companies like Microsoft are prepared to enter into "BA agreements" with their clients, as required by HIPAA.

[tristan-slominski]

The problem with currently migrating the data to the cloud is that you have to trust your Cloud provider with the secrecy of your data, which gives you two choices. 1. trust the Cloud provider, and that they will not have disgruntled employees looking at what you search for in your data, or 2. encrypt everything and use the Cloud as a dead drop until you need to retrieve information. These two solutions do not cover every business need out there. What if you want to keep everything secret from the Cloud, yet still tap into the ability to search through live data without having to trust the Cloud?