Once a company is in the cloud, there is a concern with how the cloud provider will help them remain in compliance with the laws, such as Europe’s GDPR or HIPAA in the U.S. Of course, this discussion should not start after the cloud service has been established, but rather, from the very beginning of discussions.
Businesses sometimes find themselves in the cloud long before they planned on it, though, which does complicate things. One of the core tenants of the cloud is that there should be a self-service interface so it is easy for the customer to set up, change, and exit from cloud services. What is not clear, however, is who at the customer’s business will do this. As it turns out, it could be anyone today. All that is needed is that corporate credit card, and a department can be off to the races and putting their data in the cloud. The term for this is not new; it is shadow IT. This term is getting a lot of use these days because of the cloud.
Governance is the oversight that is provided to a business by the senior executives and the board of directors. Cloud governance is an extension of that oversight into the cloud. Governance is critical; without it, there are too many unanswered questions about a business’ goals and objectives that make managing a cloud and its security very difficult. Before a company ever gets into a cloud, it should consider what those goals and objectives are. They should be guided by the laws, regulations, and contracts with which they must comply. Beyond the legal aspects, cloud governance directs the employees down the correct path to assist the company in achieving its goals and objectives. If the cloud complicates that by preventing users from getting their job done or if it lands a company in court, then there were major mistakes made. Care must be given to the cloud from the board of directors and the executive management of the company.
The first topic of any compliance discussion is the law. Businesses and their lawyers need to address what laws must be followed and should be clear about the consequences of non-compliance. Once the laws are identified, a relevant question is: What security controls do we need to have in place in order to comply with the applicable laws and regulations?
Regulations such as EU GDPR require a great deal of security regarding personal information. EU GDPR also has very specific constraints on where data covered by the regulation can be processed and stored. This is a potential issue with the cloud because of how technology works; however, controls can be put in place with most cloud providers to satisfy the regulations requirements.
Contracts define a formal agreement between two or more parties. When a company enters into a contract, they are obligated to live up to its terms. Failure to do so could result in severe financial penalties. An organization that processes or stores credit card information likely has an agreement with credit card companies that require them to implement specific elements of the Payment Card Industry-Data Security Standard (PCI-DSS). In order to process credit cards, a business signs an agreement in which they promise to fulfill the 12 security requirements of the standard. The level to which the requirements must be implemented depends on the number of transactions processed a year.
A business should also look to see if any of their contracts with their customers change what they can or cannot do with the cloud. Is there any impact on compliance if they utilize a cloud of any flavor—public, private, community, etc.?
Many businesses utilize standards, such as ISO 27001 or NIST SP 800-53, as a foundation for implementing security controls. If a business has decided to use ISO 27001 as its standard (and it is a decision), then they need to train their employees so the proper controls will be put in place. These do extend to the cloud. In fact, ISO has isolated the controls that are specific to the cloud and addressed them in ISO 27017.
One way to assess the level of compliance with laws, regulations, and contracts is to have an audit. There are internal and external audits. An internal audit, completed by the business’ own auditors, provides a self-assessment to determine its level of compliance; however, an internal audit can be viewed as skewed in its results since the auditors could be biased in their conclusions. To provide a more objective opinion, a business may be audited by an independent third party audit firm. The audits that we want to discuss regarding the cloud are those done by the cloud provider.
Most cloud providers would not welcome their customers into their data centers to do their own audit, so we rely on the independent third-party audits.
The result of an audit would be found within the audit report. The reports are standardized by the American Institute of Certified Public Accountants (AICPA). All businesses should ask for the SOC 2® audit report. A SOC 2® report is for service organizations, such as cloud providers. It shows their compliance with controls that are defined in ISO 27001 or NIST Cybersecurity Framework (CSF), for example. The controls are assessed against AICPA’s five trust services criteria, which are:
- Processing Integrity
These reports could be either a type 1 or type 2. A type 1 report shows the status of the controls at a moment in time and that the controls are designed and installed at some level of suitability. A type 2 report shows the controls’ operational effectiveness over a period of time, say, six months.
A cloud customer should ask for these reports, but it is possible that the cloud provider may not be inclined to provide them because they may potentially contain sensitive information about their business. Another option is a SOC 3®, intended as a general use report. It contains very little information regarding the cloud provider’s business; instead, it effectively gives the customer the auditor’s seal of approval (or not) of the cloud provider.