Cloud computing is being widely adopted by many businesses, however, for some organisations, one of the perceived barriers is the multitude of data regulation. Highly regulated industries such as finance and healthcare have a multitude of laws and rules governing data.
For these industries, data ownership is a highly sensitive and extremely important issue which makes implementing cloud technology complex and difficult. For those wanting to take advantage of the benefits of cloud computing, could the answer lie in creating a vertical or community cloud?
A vertical cloud would be a public cloud developed and delivered with regulations and compliance geared towards a particular sector. For example, a dedicated healthcare cloud could be created which followed the UK laws regarding patient data.
If they used a vertical cloud it would be quicker and easier for organisations to account for data handling and adhere to regulations. Additionally, it would be easier to standardise audits so that customers of the 'community' or vertical cloud could rely on one audit rather than each have to carry out individual audits themselves. This approach would decrease security risk and cost.
So, how would a vertical cloud be created, and who would monitor it? An industry body or collective who works with each industry would be highly suitable. For example the Quality Care Commission, one of the UK Government bodies responsible for healthcare regulation would be suitable as it has in depth knowledge of what is needed for IT regulation in the healthcare industry.
As regulatory bodies for the UK's financial services providers, the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) would be well placed to oversee the creation of a vertical cloud in this sector.
In order to develop the cloud, members of the industry body would need to decide on what regulations should be 'built into' the cloud. For example should the vertical cloud focus on just the UK regulations? Of course EU regulations would also have to be taken into account along with any international rules or laws specific to that sector, for example the US regulation HIPAA which has a global remit.
This stage of development would need to be completed in conjunction with cloud providers in order to ascertain what would be technically possible. It could lead to certain providers specialising in delivering cloud solutions for one sector. This would provide reassurance for customers and potential customers that the cloud provider is compliant specifically for their sector.
A vertical cloud is a feasible option if industry bodies, service providers and key potential customers work together to create it. Knowledge sharing would be key to creating a successful vertical cloud and would benefit customers and services providers alike.
If this was achieved it could significantly accelerate cloud adoption and reverse the current situation where highly regulated industries avoid widespread use of cloud because of regulatory concern. In the future, rather than choosing to keep such services in-house, using a specialised cloud services provider could become the preferred route for some industries to comply with a web of regulation.
These suggestions are considerations at this stage, but a vertical cloud is an option. Highly regulated industries could do well to seriously consider this approach and start to drive discussion in their industry in order to make it a reality.
- Ali Parvin has 20 years experience in the legal field, working as a solicitor at a law firm as well as in-house and is now Senior Legal Counsel at Dell.