I recently had a chance to chat with Rob Zanella, CA's VP of IT Compliance, about recent trends related to cloud computing and its potential impact on enterprise compliance initiatives. (Computerworld covered this recently here. UPDATE: Another good piece weighing the pros/cons on the Rational Survivability blog here.)

Rob offered his general thoughts on this trend and shared insights on key considerations for companies evaluating cloud computing offerings for a range of IT purposes. Following is a recap of our discussion.

Sumner Blount: We've heard a lot about the rise of cloud computing. Although this trend appears to have some important advantages for many enterprises, it also seems to complicate the process of IT compliance. What are your thoughts?

Rob Zanella: The challenge of cloud computing is knowing what you're getting, and how it compares to what you already had. For example, let's say that you outsource some of your key IT processes. There will certainly be an SLA document that describes the levels of service that you should get. That's all well and good, and has been standard practice for years in the outsourcing world.

But, compliance increases the importance of risk management to this process. You need to know what your total risk is as you move these IT processes outside, and how predictable it might or might not be. And, even if you have long detailed SLA documents, there's no substitute for having the processes in-house to help you more fully understand the risks that exist.

So, the challenge is to know how you can assure that your risk is manageable. Typically a SAS70 report is used to attempt to provide that assurance. But, the SAS70 Type II is really not a certification that the outsourcer will meet your needs. It's a statement from an external auditor that the controls that were shown to them operate effectively. This may or may not be the same controls that you need to meet your business or compliance objectives. Some executives who have relied on a SAS70 Type II report as a "security blanket" have had to awake to the "cold" reality that they have a compliance problem.

The problem is a lack of information and visibility into outsourced controls, and whether they will meet your needs. Along with the process being outsourced there are existing controls that you are outsourcing. You need to make absolutely sure that these external controls function as your previous controls did, and do not introduce gaps that could increase your risk unnecessarily. If so, you might need to introduce additional controls in your environment to mitigate these potential gaps, or work with the service provider to strengthen their internal controls.

In reality, the outsourced controls may be more effective than what you had in-house, in which case you come out ahead with a strong compliance environment. The point is that you can't make this determination without a detailed analysis of those controls to know where your risks and exposures might be.
Another key problem to consider when undertaking cloud computing is assignment of responsibility across the program. For example, there are often specific requirements for transferring information (such as personal information) from the company to the service provider. This requires attention to certain IT processes, and well as business practices. It is important to identify early on the specific responsibilities for any outsourced compliance program, and to make sure that these overlapping responsibilities are clarified to the extent possible.

SB: Let's look at a specific example to help us understand the impact. Let's say that my company needs to comply with PCI because it processes credit card transactions. If my company outsources their credit card processing and that vendor suffers a significant breach, does that mean that my company is subject to fines, or would the outsourcer be responsible, or both?

RZ: There is no clear answer that works in all cases. In some previous cases where a service provider has caused a breach of credit card information, the owner of that information had to pay for credit monitoring for thousands, if not millions, of people. Those costs would typically be covered by the service provider because that's clearly where the fault lies.

But, privacy laws are still evolving across the country, and there is no clear precedent for who would be responsible for governmental fines in the case of some type of outsourced privacy breach. The fact that some states even have conflicting privacy laws makes this situation even more challenging.

SB: Are there certain regulations, or types of regulations, that are more suitable for a SaaS or cloud computing model than others?

RZ: It's best not to look at it from a perspective of regulations, but rather to view it in terms of business processes, or controls that are being provided by a service provider. So, presumably you might be outsourcing multiple IT controls, each of which might be meeting the requirements of multiple regulations or standards. If you view cloud compliance from the point of view of a single, or a few, regulations, then you will likely not get the full benefits that this model can provide.

SB: Are there some final suggestions that you would give to a Compliance Officer who is interested in taking advantage of cloud computing benefits, but is concerned about the impact on their compliance initiatives?

RZ: It's important that compliance executives be involved in the planning and execution of any cloud-based compliance efforts. They need to be a member of the vendor management team, in order to make absolutely certain that the compliance needs of the business are being met. IT will play a huge role in this effort also, but the involvement of the compliance organization is also essential.

In addition, be very rigorous about defining responsibilities across the whole program. The role of all constituents should be clear, so that the needs of each organizational unit will be met. Compliance's needs should be reflective of the company's need to manage their processes to be of a certain risk tolerance while also making the company profitable.

Finally, do your homework. Define your goals, understand clearly the business need that is driving this effort, and ensure that you clearly define and quantify the risks that you are undertaking. Make sure that the compliance controls that you are outsourcing are effective and adequate to meet your overall compliance needs.

=====================

Rob Zanella is Vice President of IT Compliance for CA and is responsible for all compliance activities within Information Technology. Rob joined CA in 2005 as Director of Internal Audit to develop the company's first IT Audit practice. Upon establishing the practice, Rob next assumed responsibility for the IT Compliance function to advise on controls optimization opportunities and to manage CA's IT risk and controls profile.

Rob has 25 years of IT experience in operations, software development, project management, and auditing. Before joining CA, he was Director of IT Audit for 5 years at SIAC, the technology arm of the NYSE. Prior to the NYSE, Rob was a Senior Manager at Deloitte & Touche for 7 years implementing ERP solutions as part of their Enterprise Risk Services group for several large clients. In addition, he held various software development and project management positions within Savings Bank Trust Company and Union Savings Bank while developing and implementing lending software.

Rob has been a Certified Information Systems Auditor (CISA) as certified by ISACA (Information Systems Audit and Control Association) since 1995. He holds a Bachelor of Science in Computer Science from Hofstra University and a Master of Business Administration from Adelphi University.