Although businesses have a high level of control and customization with private clouds, using services on a public or hybrid cloud present compliance challenges. Cloud service providers (CSPs), however, have begun to see real value in helping customers achieve compliance, and processes are improving. But if you are looking to move data to the cloud–data that must meet compliance regulations—you still have your work cut out for you.
For me to comply, I need you to comply
Until recently, cloud providers focused on providing data storage and cloud services with some security provisions. The onus was on cloud customers to meet regulatory requirements or ensure that CSPs complied with regulations to protect data.
The good news is that things are changing. Not only are certain public cloud providers paying more attention to helping customers achieve compliance, but the regulatory agencies and standards bodies have recognized the value and popularity of cloud services. New guidelines and compliance updates are spelling out safe use of the cloud.
For example, additions made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 designate CSPs as business associates of covered entities, which means that CSPs must also be HIPAA compliant. The PCI Security Standards Council, the organization behind the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard recently published a detailed document that addresses cloud use in a PCI context.
When researching CSPs, look for one with a standards-based cloud environment and a security program that meet the same regulatory policies and procedures you must comply with. Be sure to check the contract and service level agreement language carefully to determine how the provider meets cloud compliance requirements. Ideally, the CSP should be able to validate that they meet compliance requirements or standards, and can and will prove it in an audit.
Tip: Your CSP should have a security professional on staff who's responsible for matching the CSP's offerings with PCI DSS, HIPAA and other regulatory requirements.
Where in the world is the data center?
One of the major hurdles in maintaining compliance in the cloud is simply knowing where your data is located. During an audit, you need to prove the location of your data along with the measures that are in place to protect it.
Read more: How to Write an Information Security Policy
Be sure to ask prospective CSPs for documentation that shows the location of their servers, which should be in the United States, according to many regulations and standards. If a CSP isn't willing to divulge that information, move on to another prospect. Even if a regulation doesn't require that a server resides in the U.S., a server in a foreign country may be subject to the laws of that foreign government, which can present privacy issues. As a workaround for PCI DSS compliance, some CSPs offer tokenization, which replaces credit card data with random numbers, or tokens.”Tokenization is handled by a PCI-compliant payment processor, while non-PCI data is handled by the CSP.
Access control is key
Much of the heavy-lifting in regulatory IT compliance comes from ensuring that proper controls are in place over system and data access. During an audit, an organization must be able to prove the level of access that each user has and how those levels are maintained. Therefore, it's crucial for a CSP to have sound access controls in place and to implement them properly.
Ask prospective CSPs if they are willing and able to prove that they implement separation of duties for administrative functions, can provide documentation showing which users had access to a system and when, and what each user could access. This information is important to comply with many different regulations, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect the security and confidentiality of customers' non-public personal information.
Encrypt data at rest and in motion
One of the security issues associated with CSPs is multitenancy. To keep costs down, many CSPs use a multitenant architecture in which several customers share a virtual instance of a software application. With this type of architecture, the CSP must be able to prove the security measures that prevent one customer from accessing another customer’s data. However, any data stored or passing through a cloud service should be encrypted to meet most compliance requirements.
If the CSP applies encryption, find out what type of encryption they use, and how and when it's applied. Don't assume that the CSP is fully responsible for data encryption, though. You're ultimately responsible for the protection of data in motion and data at rest. The CSP is merely providing a service to help you meet those requirements. Some organizations store data in their on-premises data center and use the cloud for additional storage or processing. In those cases, it's often best to encrypt data in the data center before it hits the wire.
Note: Per HIPAA requirements, data stored on hard drives (including those of a CSP) must be encrypted, in addition to backup copies, and each drive must be accounted for at all times.
Your CSP, your partner
There's a lot of competition in the cloud services industry. With pay-as-you-go prices already very affordable, CSPs need to promote other features to make themselves more attractive and earn your business. One way is to become a partner to your organization, an extension of your IT department. In doing so, it's worth your time to learn about the CSP's security processes, incident response and disaster recovery procedures, how issues are escalated, how they handle log files and the like.
Application design, monitoring, incident response and disaster recovery are important considerations as well. Be sure to address them with any prospective CSP. Even with your best due diligence efforts, regulatory policies will change over time and force you to reexamine your IT infrastructure and future plans. Be sure to include your security team in any policy or procedure modifications, and good luck with your cloud initiative.
This story, "Your guide to compliance in the cloud" was originally published by CIO.