Cloud Security and Compliance Basics

In recent years, a growing number of organizations have been implementing cloud-based solutions to reap business efficiencies. But some companies worry about security and compliance. Regulated industries lack official guidance on issues such as how third parties should protect sensitive data.

 

Companies should begin the exploration of cloud services with the involvement of legal and security departments to properly address such issues. The corporate team should negotiate a strong contract when necessary, including provisions on testing and auditing the provider’s security policies and compliance protocols.

 

Before entering into any contractual arrangement, however, it is important to properly scrutinize the exact nature of the cloud services offered. Is the data to be stored in only one location or does the company have multiple data center sites, for example?

 

Another issue is where the data centers are located. The location of data centers can have significant consequences, according to a recent Forrester Research report on cloud security compliance. Depending on whether they are in Europe or in the United States, for example, different legal issues will arise.

 

Companies also need to understand that with cloud computing, data and programs are separated from a company’s infrastructure and security controls. For this reason, the company needs to be clear about the compliance requirements of any data it might send to the cloud and to only send such data if the provider can meet those requirements, says Ted Julian, a principal analyst at the Yankee Group. Companies should also explore the key security issues that can arise with the different kinds of cloud services. Many Software as a Service (SaaS) providers, for example, are likely to provide adequate controls all the way from the infrastructure to the application and data layers.

 

Infrastructure as a Service (IaaS) vendors, on the other hand, are more likely to offer stronger data center, server, and network protection, according to the report. They may be less likely to assist with data-level compliance, for example, in cases involving the geographic restriction of data transfers. With IaaS, users may need to take additional responsibility for data- and application-layer security and compliance.

 

Some major security-related industry standards and guidelines, such as the Payment Card Industry Data Security Standard (PCI-DSS), do not address cloud services, so there’s not a clear baseline for vendors to follow or for client companies to use as a benchmark to assess performance. But users can look for basic PCI-DSS-related protections. For IaaS, this would likely include protecting the data center, using network firewalls, and conducting regular security audits, according to the Forrester report.

 

More guidance is provided by the Health Information Technology for Economic and Clinical Health (HITECH) Act, meant to compliment the Health Insurance Portability and Accountability Act, Forrester notes. HITECH requires, for example, that sensitive healthcare data be encrypted at rest and in transit. Some cloud-service providers offer customers an encrypted data form field.

 

Newer ways of gauging vendor security also appear to be developing from industry groups. In November, the Cloud Security Alliance (CSA), which has more than 60 vendor and other industry members, introduced a new set of tools to help with cloud-based governance, risk, and compliance (GRC), called the “GRC Stack.” One of its components is a solution called CloudAudit. Based on security and compliance best practices identified by CSA, it largely aims to help cloud vendors automatically report audits, assessments, and the presence of strong security measures for the benefit of consumers, auditors, and others.

 

A second CSA component provides organizations with a detailed matrix for implementing cloud security based on CSA guidance; a third includes a set of security questions cloud consumers or auditors can ask cloud providers.