Thinking about CaaS, Communications as a Service, communications in the cloud? Have you considered the security and compliance issues?What about even defining what CaaS is for communications? SaaS, Software as a Service, is the umbrella term. CaaS is a subset. Both can be called cloud offerings. This is a form of outsourcing, but not quite the same definition. In fact, there are about two dozen competing definitions for SaaS. There will multiple definitions for CaaS as well.
The value of CaaS or cloud communications is that the enterprise accesses the services through the Internet to gain use of managed technology services. The enterprise does not buy hardware (in reality the enterprise needs endpoints and some internal network to access the services) or software. The use of a pool of servers, either dedicated or shared, is a form virtualization.
The services, e.g. communications, would be delivered as a standardized set of features and functions. The enterprise would purchase/subscribe to the necessary features. The financial arrangements for access, by the seat, by the feature, by usage or unlimited usage, flat fee, are still being developed. There is no consistent business model yet. The promise is lower cost to the enterprise.
An article posted by Wired, "In Legal First, Data-Breach Suit Targets Auditor," by Kim Zetter on June 2, 2009 started me thinking of the security and compliance issues already faced by enterprise. What would be the issues if a cloud communications service provider was involved in a security/compliance breach?
Back in 2005, CardSystems Solutions exposed 40 million credit and debit card accounts. They failed to fully secure their network. The greater problem was that CardSystems had been certified as secure under the "Payment Card Industry (PCI) Data Security Standard (PCIDSS), Validation Requirements." I took a look at the PCIDSS Version 1.1a (pdf),April 2008, to see what it included. The standard is directed to Qualified Security Assessors (QSA), the people that perform the certifications. The standard defines these four parts:
1. QSA business requirements that cover the minimum business requirements that must be met by the PCIDSS security company
2. QSA capability requirements reviews the information and documentation necessary to demonstrate security expertise
3. QSA administrative requirements on the logistics of doing business including background checks, procedure adherence, quality assurance and information protection
4. QSA initial qualification and annual maintenance outline for the re-qualification process
The standard is impressive and through. This version was not in place when the 2005 security breaches occurred. The issue is not the standard, but adherence to the standard and how the compliance to the standard is ensured. What if the auditor (in this case, QSA) does not do their job properly, then whom do you trust?
Merrick Bank is suing Savvis, the managed service provider that certified CardSystems compliance. The lawsuit alleges that Savvis did not do their job and was negligent, therefore Savvis bears responsibility. Who is at fault, Savvis or CardSystems or both? For the bank or any enterprise, the breach occurred and damage was caused. You decide who to blame.
Now take this situation and relate it to communications performed in the cloud. There already are many problems and offered solutions to the e-mail compliance and security issues. Extend these problems to voicemail, Instant Messaging (IM), chat and conferencing, and the problems explode. Then move into a total Unified Communications service in the cloud and you see the problems could be continuing for many years. The e-discovery issues alone have broad implications. See my blogs, VoIP, E-Discovery and the Law and Planning for VoIP E-Discovery.
The implementation of the cloud services can be delivered in several forms:
* A complete service where the provider owns the hardware, software, network and staff that implements the service
* At the other end, the cloud can be a collection of dedicated or shared servers that run customer owned software
* A cloud service provider owns the software but use a third party's server environment.
* An application software company running their software in a cloud server environment.
Each of these scenarios produces security and compliance issues. Who is the ultimate responsible organization? What are the agreements among the organizations? What happens when there is a breach? The more organizations involved that comprise the service offering, the more likely that the customer/cloud agreement will be weaker with less protection for the customer. Everyone wants as much liability protection as possible.
Another issue is the ownership of the information in the cloud. Most enterprises would automatically expect the information passing through the cloud is theirs and not owned by the provider. What about the information on the individual users? How about the traffic information that is sent and received? If presence is involved, can that presence information be sold to others? Will the cloud provider use their access to the customer's users to send out information created by third parties for the sale of products or services? Would the cloud provider be able to sell profile information of the customer's users? Google's Chrome was an attempt to do part of this, see my blog They Could Own Your Content: Google Chrome.
Auditors primarily verify and ensure that prescribed procedures and actions are implemented. They do not directly enforce compliance. They are reporters. Compliance is the purview of the service holder.
When you sign up for a service that needs to be secure and meet compliance and/or regulatory requirements, read the fine print. You better have your lawyers be very critical and precise in their review of the provider's responsibilities and liabilities and the liabilities not accepted by the provider.
When you look for cloud features, start with those users and features that would be least likely to cause security and compliance problems, and gain some confidence.
I am not attacking the communications cloud idea. I want the customer to give as much attention to security and compliance and not be sold only on the attractive financial hype that is now emerging.
