Is Compliance in the Cloud Possible?

The type of cloud computing service and the deployment model have impacts beyond security and compliance

There is no doubt that cloud computing is dominating today's IT conversation among C-level security executives. Whether it's due to the compelling cost saving possibilities in a tough economy, or because of perceived advantages in provisioning flexibility, auto-scaling, and on-demand computing, CSOs are probing the capabilities, costs and restrictions of the cloud. At the same time, security and compliance concerns are at the forefront of issues potentially holding large enterprises back from capitalizing on the benefits that cloud computing has to offer.

Some of the most frequently asked questions among CSOs today about the cloud include: "Is using cloud computing services advisable for applications and data that are subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?"

Not surprisingly, any answer to these questions right now has to start with "It depends...."

Coming to a meaningful answer requires an understanding of the context in which the question is asked. The kind of cloud service under consideration -- public or private? IaaS, PaaS, or SaaS? - matters greatly in meeting compliance requirements. The individual compliance regulations and specific requirements are also key to understanding whether compliance can be achieved in a cloud computing deployment. This article examines the closely related compliance challenges that organizations face when contemplating cloud computing.

"The Cloud"

Blanket statements regarding compliance and cloud computing aren't possible, because there is no such thing as "the cloud". There are a number of different types of cloud computing services, and there are varying types of cloud infrastructures that can be created for single enterprises, and for groups of similar organizations.

A recent NIST paper (.doc) recognizes three service models: Infrastructure as a Service (IAAS); Platform as a Service (PAAS); and Software as a Service (SAAS). Under this, NIST further describes four different deployment models. These include private cloud, community cloud, public cloud and hybrid cloud.

The different service models and deployment models allow varying degrees of customer control, and place different obligations and responsibilities upon both customers and service providers with respect to security and compliance. In private clouds, for example, the organization building them is free to apply whatever set of controls they see fit.

In public, community, or hybrid clouds, the customer or user organization does not typically have this degree of control. In addition, the degree of control flexibility afforded the user organization for an IaaS service will generally be a lot higher as compared to a SaaS service. With the higher degree of flexibility offered to the customer organization by an IaaS service comes a higher degree of responsibility for security and compliance for the customer as well.

The type of cloud computing service and the deployment model have impacts beyond security and compliance. A recent whitepaper from the Jericho Forum entitled Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration [PDF link, or click here for non-pdf article on] identifies some other critical dimensions for analyzing the security of cloud computing, including: internal/external; perimeterised/de-perimeterised; proprietary/open; and outsourced/insourced. Some of these dimensions bring additional concerns such as vendor lock-in, portability of data and applications, interoperability, data privacy, and data repatriation. These dimensions also affect the capability of a given cloud formation to satisfy compliance obligations.

While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and to meet compliance obligations varies widely. For private clouds, building controls into the cloud that are necessary to enable compliance is fairly straightforward. For public cloud services, however, compliance is a more challenging endeavor.

Compliance Regulations and Cloud Computing Services

Another significant consideration when thinking about compliance and cloud computing are the specific laws and regulations, and the related regulatory guidance and requirements that affect an organization.

For some of the key compliance regulations, including HIPAA, GLBA, and PCI DSS, careful analysis of the specific requirements is required, along with a solid understanding of the security controls put in place by the cloud service provider. Herein lies a challenge, as many public cloud service providers are not very transparent in providing information to their customers describing the specific security controls deployed.

This means that organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations, and the set of controls provided by the cloud service provider. For IaaS cloud services, customers may be able to close gaps by deploying specific security controls on their virtual infrastructure.

For example, software firewalls and anti-malware software may be deployed as needed by customers in IaaS virtual machine instances to satisfy compliance (and security) requirements. In the case of SaaS cloud services, customers generally have far less ability to implement specific security controls, and must instead use the set of controls delivered by the cloud service provider.

It is also worth noting that satisfying many compliance requirements will require regularly assessing the control state for the cloud service at periodic intervals. For example, PCI DSS requires quarterly vulnerability scans be conducted for systems. Even performing vulnerability scans on public cloud services may be an issue, as some cloud services limit the customer's ability to do this in their contract language.

The Cloud Security Alliance's forthcoming version 2 guidance will provide extensive discussion of compliance and audit concerns related to cloud computing, along with many other areas of security concern.

Conclusions and Guidance

Using cloud computing services for data and applications subject to compliance regulations requires a high degree of openness and transparency on the part of the cloud service provider. Customer organizations considering the use of cloud services need to really think through what use cases make sense today, closely review contracts and service level agreements, really understand the compliance requirements and how they are met (or not met) by the cloud service. They should also insist on "right to audit" clauses and general transparency on the controls in use.

Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific regulations and industries, but for now--caveat emptor!

Jim Hietala, CISSP, GSEC, is Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities. He was co-leader of the group that developed the compliance and audit content for the forthcoming Cloud Security Alliance version 2 guidance. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He blogs at

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancesecuritycloud computing

More about AASOpen GroupSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jim Hietala

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place