Compliance Complexity and the Almighty Audit

By Nicole Hemsoth

June 12, 2010

There are a host of issues that often get wrapped into cloud security discussions ranging from network and data security to the protection of private health and financial information, but for many, security means more than just knowing data is security, it means being able to prove it. In great detail, no less.

Growing regulation governing mounting data complicates efforts for technology to keep pace with the law, which for some industries, barriers to migration for private clouds alone can create enormous challenges. What this all boils down to is compliance and what that can be pared down to, at least on the individual enterprise level, is the notion of the much-dreaded audit.

Audits are not a particular concern for all HPC applications in the cloud, certainly, but for sectors like financial services, this concern is enough to dissuade broad adoption of any cloud model — no matter how tenuous it might be at first. Furthermore, since regulation is swift and revisions are frequent, organizations are understandably concerned about how new regulation might influence their current IT environment.

Grounded Concerns Versus Lofty IT Goals

LogLogic, a San Jose, Calif.-based company offering security and log management services, recently released a report that suggested enterprises are focused on security and compliance over new technology investments. More specifically, LogLogic discussed how financial services firms in particular are still hesitant to adopt cloud — no matter what model or approach. According to their survey, “more than 75 percent of respondents are concerned about increasing government regulation” since, shall we say “enhancement” of existing regulatory measures further complicates IT at every level for those who are under the most compliance-related scrutiny.

Although the report did not go into deep specific differences between private and public clouds, it does highlight some of the critical barriers to wider cloud adoption in industries with intense regulation considerations underpinning nearly every single element of IT. The report was based on surveys with members of some of the largest international banking giants as well as numerous investment and insurance firms. It found, not surprisingly, that security was one of the biggest concerns but wrapped up in that overarching (and valid) concern are the more specific matters of transparency.

Compliance and Security Concern Trump Cloud Investments

The financial services sector is one of the most compelling to watch because they have historically been routine early adopters of technological innovation. Throw in a network, however, and the situation changes dramatically, especially with the increasingly stringent regulations that apply to specific HPC applications in the cloud that deal with personal financial and health information, for example. However, with penalities that are stiff enough to bury companies that are not compliant, the obvious driver here is keeping pace with regulation, certainly not investing in “new” technologies and ways of handling IT that might throw them into ruin.

I talked with LogLogic’s Bill Roth and Lex Van Den Berghe about some of the more specific concerns and trends that reflect the hesitancy of the financial services sector and the word that kept cropping up was “audit.” In addition to more generalized issues about data security as a whole, concerns about audits cannot be underestimated.

As Bill Roth of LogLogic noted, “In terms of the level of security required for those in the financial services industry since they’re so heavily regulated, cloud-based providers and HPC in the cloud in general still does not have the security regimes needed to satisfy a lot of regulators.” This statement is not based exclusively on the findings of this one report; the company has carried out similar studies with similar conclusions in the life sciences as well with focus on HIPPA compliance with similar conclusions.

It All Comes Down to the Audit

While LogLogic has a direct stake in helping firms overcome auditing angst, the points Roth and Van Den Berghe makes are difficult to take issue with. When asked about what the primary concern was for those they spoke with during their study, there was no question that fear of the almighty audit and its associated fines was enough to make any enterprise think twice about sending their business into a network.

As Bill Roth notes, “At the fundamental business level it is all about audits; the survey calls out that the two most important regulatory regimes people are concerned about are Sarbanes-Oxley and PCIS for credit card processing. SOX is governmental, PCIS is industry-based — people’s biggest concern is not being audited, not getting fined.

An example of the biggest requirements (two biggest) are section 404 of SOX as well as PCI rule 10. If you go to the site, the list of regulations looks scary but it’s not that much (changing default passwords on firewall) but as rule 10 states — you have to log everything; among other things, you are required to log all state changes to your firewalls so when you have an audit, there is a clear audit trail of what went on in the case of a breach.”

Are New Regulations Taking the Cloud into Account?

There is a new version of PCI specific 1.3 is coming out for final draft June 30 that has been modified to address the cloud specifically and to tighten areas of concern about wireless networking, tokenization and cloud as an overarching concept. Tokenization, which refers to personal information being stored as a token rather than a directly-accessible tide of information, is an important issue in current debates about cloud and compliance since it means that privileged data can be stored in a more secure offsite location. Elements of that are taken into consideration to allay concerns about where data is being stored, which helps appease auditors and lawyers.

Bill Roth added to this thought by discussing the HITECH Act of 2009, which just went into effect in February and now adds stiff penalties in the form of dramatic fines and now jail time to the direct misuse and mishandling of personal information. “The effect of this has been both good and bad — laws like this have a chilling effect on the move to cloud for more conservative companies who will now look several times before they engage, but it also motivates the rest of us to do better on security and auditing frameworks and technologies to roll things out sooner — the point is, no one wants to wear an orange jumpsuit.”

It’s Not Just the Enterprise That Should Be Worried…

There is no doubt that the increase in regulation is going to affect far more than the enterprises as they make sure they are compliant. Cloud vendors are going to face mounting challenges as well as they tailor their agreements to be suitable for those businesses who have made the brave decision to put some of their operations into the public cloud in particular.

Chris Hoff, a network and information security architecture expert who currently serves as the Director of Cloud and Virtualization and Data Center Solutions at Cisco Systems stated in January, “Almost all of the cloud providers I have spoken to are being absolutely hammered by customers acting on their ‘right to audit’ clauses in contracts. This is a change in behavior. Most customers have traditionally not acted on these clauses as they used them more as contingency/insurance options. With the uncertainty relating to confidentiality, integrity and availability of cloud services, this is no more. Cloud providers continue to lament that they really, really want a standardized way of responding to these requests.”

Compliance and auditing over time could mean that the ever-so attractive cloud pricing models that have brought some on board already could start to increase as cloud vendors keep pace with the staffing and support required to contend with their end of agreements.

The ultimate question becomes to what degree will compliance alone negate the benefits of using clouds in the first place? And moreover, why should firms bother with clouds when they have much bigger metaphorical fish to fry?

For more on the regulatory environment for another sector that this is of particular importance to, the life sciences industry, check out some of the more recent posts from Bruce Maches.

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

Microsoft Wants to Speed Quantum Development

December 12, 2017

Quantum computing continues to make headlines in what remains of 2017 as tech giants jockey to establish a pole position in the race toward commercialization of quantum. This week, Microsoft took the next step in advanci Read more…

By Tiffany Trader

ESnet Now Moving More Than 1 Petabyte/wk

December 12, 2017

Optimizing ESnet (Energy Sciences Network), the world's fastest network for science, is an ongoing process. Recently a two-year collaboration by ESnet users – the Petascale DTN Project – achieved its ambitious goal t Read more…

HPC-as-a-Service Finds Toehold in Iceland

December 11, 2017

While high-demand workloads (e.g., bitcoin mining) can overheat data center cooling capabilities, at least one data center infrastructure provider has announced an HPC-as-a-service offering that features 100 percent fre Read more…

By Doug Black

HPE Extreme Performance Solutions

Explore the Origins of Space with COSMOS and Memory-Driven Computing

From the formation of black holes to the origins of space, data is the key to unlocking the secrets of the early universe. Read more…

HPC Iron, Soft, Data, People – It Takes an Ecosystem!

December 11, 2017

Cutting edge advanced computing hardware (aka big iron) does not stand by itself. These computers are the pinnacle of a myriad of technologies that must be carefully woven together by people to create the computational c Read more…

By Alex R. Larzelere

Microsoft Wants to Speed Quantum Development

December 12, 2017

Quantum computing continues to make headlines in what remains of 2017 as tech giants jockey to establish a pole position in the race toward commercialization of Read more…

By Tiffany Trader

HPC Iron, Soft, Data, People – It Takes an Ecosystem!

December 11, 2017

Cutting edge advanced computing hardware (aka big iron) does not stand by itself. These computers are the pinnacle of a myriad of technologies that must be care Read more…

By Alex R. Larzelere

IBM Begins Power9 Rollout with Backing from DOE, Google

December 6, 2017

After over a year of buildup, IBM is unveiling its first Power9 system based on the same architecture as the Department of Energy CORAL supercomputers, Summit a Read more…

By Tiffany Trader

Microsoft Spins Cycle Computing into Core Azure Product

December 5, 2017

Last August, cloud giant Microsoft acquired HPC cloud orchestration pioneer Cycle Computing. Since then the focus has been on integrating Cycle’s organization Read more…

By John Russell

GlobalFoundries, Ayar Labs Team Up to Commercialize Optical I/O

December 4, 2017

GlobalFoundries (GF) and Ayar Labs, a startup focused on using light, instead of electricity, to transfer data between chips, today announced they've entered in Read more…

By Tiffany Trader

HPE In-Memory Platform Comes to COSMOS

November 30, 2017

Hewlett Packard Enterprise is on a mission to accelerate space research. In August, it sent the first commercial-off-the-shelf HPC system into space for testing Read more…

By Tiffany Trader

SC17 Cluster Competition: Who Won and Why? Results Analyzed and Over-Analyzed

November 28, 2017

Everyone by now knows that Nanyang Technological University of Singapore (NTU) took home the highest LINPACK Award and the Overall Championship from the recently concluded SC17 Student Cluster Competition. We also already know how the teams did in the Highest LINPACK and Highest HPCG competitions, with Nanyang grabbing bragging rights for both benchmarks. Read more…

By Dan Olds

Perspective: What Really Happened at SC17?

November 22, 2017

SC is over. Now comes the myriad of follow-ups. Inboxes are filled with templated emails from vendors and other exhibitors hoping to win a place in the post-SC thinking of booth visitors. Attendees of tutorials, workshops and other technical sessions will be inundated with requests for feedback. Read more…

By Andrew Jones

US Coalesces Plans for First Exascale Supercomputer: Aurora in 2021

September 27, 2017

At the Advanced Scientific Computing Advisory Committee (ASCAC) meeting, in Arlington, Va., yesterday (Sept. 26), it was revealed that the "Aurora" supercompute Read more…

By Tiffany Trader

NERSC Scales Scientific Deep Learning to 15 Petaflops

August 28, 2017

A collaborative effort between Intel, NERSC and Stanford has delivered the first 15-petaflops deep learning software running on HPC platforms and is, according Read more…

By Rob Farber

Oracle Layoffs Reportedly Hit SPARC and Solaris Hard

September 7, 2017

Oracle’s latest layoffs have many wondering if this is the end of the line for the SPARC processor and Solaris OS development. As reported by multiple sources Read more…

By John Russell

AMD Showcases Growing Portfolio of EPYC and Radeon-based Systems at SC17

November 13, 2017

AMD’s charge back into HPC and the datacenter is on full display at SC17. Having launched the EPYC processor line in June along with its MI25 GPU the focus he Read more…

By John Russell

Nvidia Responds to Google TPU Benchmarking

April 10, 2017

Nvidia highlights strengths of its newest GPU silicon in response to Google's report on the performance and energy advantages of its custom tensor processor. Read more…

By Tiffany Trader

Japan Unveils Quantum Neural Network

November 22, 2017

The U.S. and China are leading the race toward productive quantum computing, but it's early enough that ultimate leadership is still something of an open questi Read more…

By Tiffany Trader

GlobalFoundries Puts Wind in AMD’s Sails with 12nm FinFET

September 24, 2017

From its annual tech conference last week (Sept. 20), where GlobalFoundries welcomed more than 600 semiconductor professionals (reaching the Santa Clara venue Read more…

By Tiffany Trader

Google Releases Deeplearn.js to Further Democratize Machine Learning

August 17, 2017

Spreading the use of machine learning tools is one of the goals of Google’s PAIR (People + AI Research) initiative, which was introduced in early July. Last w Read more…

By John Russell

Leading Solution Providers

Amazon Debuts New AMD-based GPU Instances for Graphics Acceleration

September 12, 2017

Last week Amazon Web Services (AWS) streaming service, AppStream 2.0, introduced a new GPU instance called Graphics Design intended to accelerate graphics. The Read more…

By John Russell

Perspective: What Really Happened at SC17?

November 22, 2017

SC is over. Now comes the myriad of follow-ups. Inboxes are filled with templated emails from vendors and other exhibitors hoping to win a place in the post-SC thinking of booth visitors. Attendees of tutorials, workshops and other technical sessions will be inundated with requests for feedback. Read more…

By Andrew Jones

EU Funds 20 Million Euro ARM+FPGA Exascale Project

September 7, 2017

At the Barcelona Supercomputer Centre on Wednesday (Sept. 6), 16 partners gathered to launch the EuroEXA project, which invests €20 million over three-and-a-half years into exascale-focused research and development. Led by the Horizon 2020 program, EuroEXA picks up the banner of a triad of partner projects — ExaNeSt, EcoScale and ExaNoDe — building on their work... Read more…

By Tiffany Trader

Delays, Smoke, Records & Markets – A Candid Conversation with Cray CEO Peter Ungaro

October 5, 2017

Earlier this month, Tom Tabor, publisher of HPCwire and I had a very personal conversation with Cray CEO Peter Ungaro. Cray has been on something of a Cinderell Read more…

By Tiffany Trader & Tom Tabor

Tensors Come of Age: Why the AI Revolution Will Help HPC

November 13, 2017

Thirty years ago, parallel computing was coming of age. A bitter battle began between stalwart vector computing supporters and advocates of various approaches to parallel computing. IBM skeptic Alan Karp, reacting to announcements of nCUBE’s 1024-microprocessor system and Thinking Machines’ 65,536-element array, made a public $100 wager that no one could get a parallel speedup of over 200 on real HPC workloads. Read more…

By John Gustafson & Lenore Mullin

Flipping the Flops and Reading the Top500 Tea Leaves

November 13, 2017

The 50th edition of the Top500 list, the biannual publication of the world’s fastest supercomputers based on public Linpack benchmarking results, was released Read more…

By Tiffany Trader

Intel Launches Software Tools to Ease FPGA Programming

September 5, 2017

Field Programmable Gate Arrays (FPGAs) have a reputation for being difficult to program, requiring expertise in specialty languages, like Verilog or VHDL. Easin Read more…

By Tiffany Trader

IBM Begins Power9 Rollout with Backing from DOE, Google

December 6, 2017

After over a year of buildup, IBM is unveiling its first Power9 system based on the same architecture as the Department of Energy CORAL supercomputers, Summit a Read more…

By Tiffany Trader

  • arrow
  • Click Here for More Headlines
  • arrow
Share This