Compliance in the Cloud: More than Checking a Box

Security and Compliance have been big cloud computing showstoppers for a long time, particularly for the off-site, public variety of cloud. Those two issues have always been heavily intertwined, since most compliance requirements involve security of one type or another. Since you can’t just go do your own audit on a public cloud (as doing so would violate the security policies of the cloud provider’s other shared-infrastructure customers), early interest in public cloud from major firms quickly ran into a brick wall. Fortunately, the best-funded cloud service providers recognized this market barrier early on and moved to incorporate standards compliance into their menu of offerings.

The providers have assumed the burden of engaging independent third parties to certify that their services meet the requirements of whatever regulations or industry standards are relevant for their customers, and they will be happy to show you audit reports and certifications to prove it. Sure, it means that they may need to provide something a little less generic and therefore a little pricier, but that’s a cost of doing business with large organizations. ISO 27001, SSAE 16, PCI, HIPAA, FedRAMP and CSA are all now easy to find, and the list is growing.

This change in the cloud services marketplace is critical. Not only are cloud options available to organizations where they could not even be considered before, the standards themselves are growing in importance. That’s because in the cloud we only have those standards, plus whatever faith we have in the good stewardship of the providers themselves, to assure us that our data is kept private and secure. Certainly, large cloud providers with numerous customers sharing infrastructure will be tempting targets. So when there’s a well-publicized security breach in a regulated industry, the first question we need to ask is, “Did this happen because the organization was out of compliance, or because the standard itself wasn’t good enough to ensure adequate protection even when properly implemented?”

If the answer is the latter, then an upgrade to the standard is likely to be needed in a very big hurry. If it’s the former, then we need to know why the audit process did not catch the non-compliance — and this area still seems to have much room for improvement. For example, several months after the significant loss of customer credit card data at Target, definitive answers to the question of why implementation of the PCI standard was not effective in preventing the breach have yet to appear.

Now that compliance options are at least available in the public cloud, you still have to be careful to go beyond simply checking a box when selecting a service. Some leading practices to keep in mind to avoid unpleasant surprises are:

  • Just because the cloud service is compliant does not mean the entire application or process that uses it will be. You can’t become compliant automatically just by moving to the cloud, and different providers may put more or less of the burden of compliance on the customer. Start by asking if a signed agreement will clearly define the provider’s responsibility vs. yours.
  • Sometimes regulations and standards define different levels of compliance or have different types of audits that can be passed and reports that can be provided, such as with SSAE 16. Find out if the service complies at the level you need. Look at the provider’s approach to compliance – how proactive are they? Some may be much stronger than others.
  • Make sure to look at evidence that the compliance claimed by the provider actually exists. Determine if audit reports are thorough, recent and independent. Find out if references are available from other customers with requirements like yours. Does the underlying process and infrastructure appear to be adequate to support the required controls? Are the staff used to support the necessary processes qualified enough to maintain compliance?
  • Ask the cloud service provider what assurance they can give that the service will remain in compliance over time. How often will audits be repeated? How will problems identified by audits be handled?

Checking all the boxes is only the first step towards ensuring a secure, compliant solution that will be maintainable well into the future. Contact us to discuss further.

About the author

Scott Feuless is a Principal Consultant with ISG, based in Texas. Scott benefits from 25 years of senior management experience, with a strong background in leading performance improvement initiatives, developing strategy and pricing outsourced services, together with knowledge of many areas of computer technology developed over some thirty years. For ISG Scott provides expertise on infrastructure performance and benchmarking, as well as strategic sourcing advisory. Scott is also a primary contributor to the development of industry standards for cloud computing. His expertise covers multiple architectures and sourcing arrangements, with major studies completed for mainframe, midrange server, storage, desktop and networking environments over his 13+ years with the firm.