Your guide to compliance in the cloud

You can ensure cloud compliance with PCI DSS, HIPAA and other regulatory requirements, but it takes investigation and persistence to get the answers and documentation you need to prove it.

Although businesses have a high level of control and customization with private clouds, using services on a public or hybrid cloud present compliance challenges. Cloud service providers (CSPs), however, have begun to see real value in helping customers achieve compliance, and processes are improving. But if you are looking to move data to the cloud–data that must meet compliance regulations—you still have your work cut out for you.

For me to comply, I need you to comply

Until recently, cloud providers focused on providing data storage and cloud services with some security provisions. The onus was on cloud customers to meet regulatory requirements or ensure that CSPs complied with regulations to protect data.

The good news is that things are changing. Not only are certain public cloud providers paying more attention to helping customers achieve compliance, but the regulatory agencies and standards bodies have recognized the value and popularity of cloud services. New guidelines and compliance updates are spelling out safe use of the cloud.

For example, additions made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 designate CSPs as business associates of covered entities, which means that CSPs must also be HIPAA compliant. The PCI Security Standards Council, the organization behind the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard recently published a detailed document that addresses cloud use in a PCI context.

When researching CSPs, look for one with a standards-based cloud environment and a security program that meet the same regulatory policies and procedures you must comply with. Be sure to check the contract and service level agreement language carefully to determine how the provider meets cloud compliance requirements. Ideally, the CSP should be able to validate that they meet compliance requirements or standards, and can and will prove it in an audit.

Tip: Your CSP should have a security professional on staff who's responsible for matching the CSP's offerings with PCI DSS, HIPAA and other regulatory requirements.

Where in the world is the data center?

One of the major hurdles in maintaining compliance in the cloud is simply knowing where your data is located. During an audit, you need to prove the location of your data along with the measures that are in place to protect it.

Read more: How to Write an Information Security Policy

Be sure to ask prospective CSPs for documentation that shows the location of their servers, which should be in the United States, according to many regulations and standards. If a CSP isn't willing to divulge that information, move on to another prospect. Even if a regulation doesn't require that a server resides in the U.S., a server in a foreign country may be subject to the laws of that foreign government, which can present privacy issues. As a workaround for PCI DSS compliance, some CSPs offer tokenization, which replaces credit card data with random numbers, or tokens.”Tokenization is handled by a PCI-compliant payment processor, while non-PCI data is handled by the CSP.

Access control is key

Much of the heavy-lifting in regulatory IT compliance comes from ensuring that proper controls are in place over system and data access. During an audit, an organization must be able to prove the level of access that each user has and how those levels are maintained. Therefore, it's crucial for a CSP to have sound access controls in place and to implement them properly.

Ask prospective CSPs if they are willing and able to prove that they implement separation of duties for administrative functions, can provide documentation showing which users had access to a system and when, and what each user could access. This information is important to comply with many different regulations, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect the security and confidentiality of customers' non-public personal information.

Read more: Enterprise risk management: Get started in six steps

Encrypt data at rest and in motion

One of the security issues associated with CSPs is multitenancy. To keep costs down, many CSPs use a multitenant architecture in which several customers share a virtual instance of a software application. With this type of architecture, the CSP must be able to prove the security measures that prevent one customer from accessing another customer’s data. However, any data stored or passing through a cloud service should be encrypted to meet most compliance requirements.

If the CSP applies encryption, find out what type of encryption they use, and how and when it's applied. Don't assume that the CSP is fully responsible for data encryption, though. You're ultimately responsible for the protection of data in motion and data at rest. The CSP is merely providing a service to help you meet those requirements. Some organizations store data in their on-premises data center and use the cloud for additional storage or processing. In those cases, it's often best to encrypt data in the data center before it hits the wire.

Note: Per HIPAA requirements, data stored on hard drives (including those of a CSP) must be encrypted, in addition to backup copies, and each drive must be accounted for at all times.

Your CSP, your partner

There's a lot of competition in the cloud services industry. With pay-as-you-go prices already very affordable, CSPs need to promote other features to make themselves more attractive and earn your business. One way is to become a partner to your organization, an extension of your IT department. In doing so, it's worth your time to learn about the CSP's security processes, incident response and disaster recovery procedures, how issues are escalated, how they handle log files and the like.

Moving on

Application design, monitoring, incident response and disaster recovery are important considerations as well. Be sure to address them with any prospective CSP. Even with your best due diligence efforts, regulatory policies will change over time and force you to reexamine your IT infrastructure and future plans. Be sure to include your security team in any policy or procedure modifications, and good luck with your cloud initiative.

This story, "Your guide to compliance in the cloud" was originally published by CIO.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancecloud compliancesecuritycloud securityencryptionaccountabilityCSO Australia

More about AssuranceCSOCSP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ed Tittel and Kim Lindros

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place