In heavily regulated industries like health care and banking, misuse of sensitive data has partly led to comprehensive regulatory regimes that make embracing data storage in the cloud difficult. After all, industries like health care and financial services frequently deal with large quantities of highly sensitive personal data; cloud providers routinely move data between their various centers. It can therefore be difficult to know which data center holds which data at any point in time.
But as we discuss in a post at GigaOM Pro, regulated industries can certainly make use of existing cloud solutions, and existing examples prove as much.
CloudAudit (discussed in a recent podcast with George Reese, CTO of Minneapolis-based cloud management firm enStratus) is one industry solution for data-sensitive industries. The process, still in development, helps cloud computing providers self-certify their data centers by providing consistent descriptions of the capabilities, accreditations and features of their centers. The hope is that prospective customers will more easily be able to compare the offerings of different providers.
In health care, the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the handling of personally identifiable health data. Amazon is one cloud provider that claims its services meet HIPAA’s stringent requirements for storage and processing of data. Case studies with healthcare service providers like MedCommons provide real-world examples of success in storing data with Amazon.
No one is seriously suggesting a bank or hospital migrate all of its IT to a public cloud, but taking the time to segment existing data and workflows lets customers make effective use of complementary solutions. Here are the four broad categories where cloud technologies could help regulated industries:
- Commodity public cloud. This is typically the cheapest cloud resource, suitable for non-sensitive data. Service level agreements (SLAs) are weak or non-existent and offer little security. The most basic cloud offerings from the likes of Amazon and Rackspace fill this niche.
- External private cloud. Hosted in an external data center but with additional physical and virtual security measures, the external private cloud will typically offer stronger SLAs and contractual protections at a higher cost. It is suitable for some sensitive data and workflows.
- External niche cloud. This is a more expensive option. The external niche cloud is probably audited, and suitable for most sensitive data. It’s intended to meet the particular requirements of an industry like financial services, health care or government. The external niche cloud can be optimized to comply with specific regulations, reduce latency, increase redundancy or other legal, technical or business requirements.
- Internal cloud. If suitably secured and managed, this is ideal for keeping the most sensitive or valuable data in-house. It involves the adoption of cloud computing methods such as virtualization and elasticity within the existing enterprise data center. These internal clouds are normally only effective at delivering cost and efficiency savings when deployed at significant scale.
Prospective cloud customers need to understand their data and what they wish to achieve with it. Rather than treating all of it the same, effective use of different cloud solutions will require an initial effort to segment data according to criteria like sensitivity and speed of change. Detailed and personally identifiable patient records are far less suitable for processing on a public cloud than a set of anonymized statistics. By identifying and experimenting with discrete sets of “safe” data, even customers in the most heavily regulated industries can begin to explore the costs and benefits of bringing cloud computing into their regular workflow.
Read the full post here.