Just last week I wrote about how essential planning is for a move to the cloud. I mentioned a few examples of questions which cloud service planners should keep in mind, and one of the examples was around compliance. It’s easy to forget about compliance in the rush to stand up a new platform, not least because in the past compliance has often been a day-2 task (pronounced: afterthought). However the cloud brings its own unique compliance challenges. It is no longer even conceptually possible to shelter internal services behind a locked-down firewall, when some of the resources those services are running on reside in Amazon’s or Microsoft’s or Google’s data centre.
Then today I happened to read an article in the Financial Times (also available via CNN) discussing the new penalties the EU is planning for data privacy breaches. These penalties include fines of up to five percent of global turnover, and also cover multinationals that operate in the EU. Now of course these new proposals need to be ratified by the various national governments involved, a process which is expected to take around two years. However that timeframe is well within the planning horizon for a major initiative such as cloud computing.
This regulation will have a large impact on cloud projects, because it is no longer possible to take a simplistic approach of “let’s just run everything in the public cloud”. Any US-based cloud provider, including their European operations, is subject to the US Patriot Act and therefore potentially in breach of EU data privacy regulation.
Enterprises considering hybrid or public cloud approaches now need to consider data sovereignty and the legislation their provider(s) might be subject to. This does not mean that enterprises cannot or should not use the big US service providers; however, customers will need a cloud platform which is aware of the compliance requirements of each service and can place components dynamically and intelligently on infrastructure resources which will satisfy those compliance requirements. Compliance is just one dimension, of course, to be considered together with performance, security, platform and application compatibility, connectivity, and so on. The BMC Software platform is able to deliver these intelligent placement capabilities through its Service Governor, which is able to locate compute, network and storage resources to satisfy all of these types of requirements.
In turn, EU providers now have a new market opportunity, offering services which are compliant to these new regulations. This is not as simple as just ensuring that the data centre is physically located in the EU; the newly toughened regulations also discuss security breaches, requiring notification within 24 hours of any breach. Therefore, service providers need a way to deliver secure multi-tenancy on shared infrastructure, while also ensuring both the initial and ongoing security hardening of the platform and the delivered services themselves. Harris Corporation was able to set up its Trusted Enterprise Cloud offering using BMC Software technology, delivering a highly secure cloud service to some very demanding customers.
If you are starting planning for a cloud platform which will include outside resources, or you plan to offer your own cloud platform to third parties, this is an important aspect to bear in mind. To find out more about the secure multi-tenancy and compliance features of BMC Software Cloud Lifecycle Management, please visit www.bmc.com/cloud.