Once a company is in the cloud, it should be concerned with how the cloud provider will help the company remain in compliance with the laws, such as Europe’s General Data Protection Regulation (GDPR) or HIPAA in the U.S. This discussion should start from the very beginning rather than after the cloud service is established.
Businesses sometimes find themselves in the cloud long before they planned on it, and that complicates things. One of the core tenets of the cloud is that there should be a self-service interface so it is easy for the customer to set up, change, and exit from cloud services.
What is not clear, however, is who at the customer’s business will do this. As it turns out, it could be anyone today. All that is needed is a corporate credit card, and a department can be off to the races putting data in the cloud. The term for this is not new; it is shadow IT. This term is getting a lot of use these days because of the characteristics of the cloud.
Governance is the oversight provided to a business by senior executives and the board of directors. Cloud governance is an extension of that oversight into the cloud. Governance is critical; without it, there are too many unanswered questions about business goals and objectives that make managing a cloud and its security very difficult.
Before a company ever gets into a cloud, it should consider what its goals and objectives are. The goals and objectives should be guided by applicable laws, regulations, and contracts. Beyond the legal aspects, cloud governance directs employees down the correct path to assist the company in achieving its goals and objectives.
Major mistakes can cause the cloud to complicate things, preventing users from getting their job done. Mistakes could even land a company in court. The board of directors and the executive management must give the cloud care and attention.
The first topic in any compliance discussion is the law. Businesses and their lawyers need to address what laws must be followed. They must also be clear about the consequences of non-compliance. Once the laws are identified, it is important to ask which security controls need to be in place to comply with applicable laws and regulations.
Regulations such as EU GDPR require a great deal of security regarding personal information. EU GDPR also has very specific constraints on where data covered by the regulation can be processed and stored. This is a potential issue with the cloud because of how it works; however, controls can be put in place with most cloud providers to satisfy EU GDPR requirements.
Contracts define a formal agreement between two or more parties. When a company enters into a contract, it's obligated to live up to the terms. Failure to do so could result in severe financial penalties.
An organization that processes or stores credit card information likely has an agreement with credit card companies that require it to implement specific elements of the Payment Card Industry-Data Security Standard (PCI-DSS).
To process credit cards, a business signs an agreement with the promise to fulfill the 12 security requirements of the standard. The level to which the requirements must be implemented depends on the number of transactions processed in a year.
A business should also check whether any contracts with the customers outline what the company can or can't do with the cloud. Is there any impact on compliance if it uses a cloud of any flavor – public, private, community, etc.?
Many businesses use standards such as ISO 27001 or NIST SP 800-53 as a foundation for implementing security controls. If a business decides to use ISO 27001 as its standard, the company needs to train employees so the proper controls are in place. These do extend to the cloud. In fact, ISO has isolated the controls that are specific to the cloud and addressed them in ISO 27017.
One way to assess the level of compliance with laws, regulations, and contracts is to have an audit. Audits can be internal or external. An internal audit, completed by the business’ own auditors, provides a self-assessment to determine its level of compliance. The results of an internal audit can be viewed as skewed since the auditors could be biased in their conclusions.
To provide a more objective opinion, a business may choose to be audited by an independent third-party audit firm. The audits we discuss here regarding the cloud are those done by the cloud provider.
Most cloud providers would not welcome customers into their data centers to do their own audit, so we rely on independent third-party audits.
The result of an audit is found within the audit report. The reports are standardized by the American Institute of Certified Public Accountants (AICPA). All businesses should ask for the SOC 2® audit report. A SOC 2® report is for service organizations, such as cloud providers. It shows their compliance with controls defined in ISO 27001 or NIST Cybersecurity Framework (CSF), for example. The controls are assessed against AICPA’s five trust services criteria, which are:
- Processing integrity
These reports could be either a type 1 or a type 2. A type 1 report shows the status of the controls at a moment in time and that the controls are designed and installed at some level of suitability. A type 2 report shows the controls’ operational effectiveness over a period of time, for example, six months.
A cloud customer should ask for these reports, but it is possible that the cloud provider may not be inclined to provide them because they may contain sensitive information about their business. Another option is an SOC 3®, intended as a general use report. It contains very little information regarding the cloud provider’s business. It effectively gives or does not give the customer the auditor’s seal of approval for the cloud provider.