Roman Sakhno - Fotolia
University of Notre Dame
Published: 01 Oct 2015
Compliance doesn't need to slow down cloud adoption, but it should remain a high priority in cloud-enabled IT environments. Federal and state laws that protect information security and data privacy differ widely and are becoming increasingly complex. The global picture is even more difficult to unravel.
As enterprises around the world adopt cloud computing strategies, regulated data -- such as personally identifiable information, health records and credit card numbers -- increasingly passes through the control of a wide range of service providers. Multinational corporations must take time to understand the data security ramifications of cloud computing decisions and move forward in a manner that maintains compliance with applicable security and privacy regulations.
In all of these scenarios, figuring out which regulations apply to your business operations can be time consuming and frustratingly complex. Remember: Your organization is ultimately responsible (liable) for protecting sensitive data that it's been entrusted with and ensuring compliance requirements are met, no matter where that data is stored, transmitted or accessed. As assets are moved to the cloud, you must take steps to ensure compliance obligations are upheld by third-party service providers and vendors.
Shared responsibility model
Migrating to cloud services also requires a major shift in the mindset of information security and compliance teams. In legacy data center environments, internal teams often bore end-to-end responsibility for IT compliance. This put a tremendous burden on the shoulders of overworked security teams, but also gave the enterprise assurance that one team carried the ultimate responsibility for maintaining a secure, compliant IT environment.
This end-to-end approach simply doesn't apply in a cloud computing world, where companies often share compliance burdens with one or more service providers that may be providing infrastructure, platforms or hosted services. (See: "Tiers of Cloud Computing.") In this shared responsibility model, both service providers and their customers must spell out what is required by each side in terms of compliance responsibilities.
One way to achieve this is by walking through applicable regulations line-by-line and identifying who is responsible for implementing each control objective. An infrastructure as a service (IaaS) provider might be responsible for building and maintaining a secure firewall service, while you are in charge of configuring that service to only allow authorized traffic to pass. In a software as a service (SaaS) environment, the service provider might bear complete responsibility for firewall management.
You should work with your service providers on a regular basis to review and update the division of responsibilities. As business needs change and technical capabilities evolve, the burden of compliance may shift in one direction or another. Staying abreast of these shifting responsibilities is a key component of compliance management.
Where's the data?
Your company is ultimately responsible for information security when there's a compromise or breach (no matter where the data is stored or how it's transmitted or accessed). But, sometimes, knowing exactly where data is, and how it's protected when it's entrusted to third parties presents an enormous challenge.
Many IT compliance regulations contain language specifying the geographic locations where financial or healthcare organizations, for example, may store data. U.S. export control regulations prohibit the storage or transmission of some regulated data outside of the United States. Similarly, European Union privacy regulations prohibit transferring some personal information outside of the EU without implementing adequate privacy controls around that data.
In a legacy data center world, complying with data locality obligations was fairly straightforward. Organizations knew where they built their data centers and could easily ensure that they did not move data between those facilities in a manner that violated compliance obligations.
With cloud computing, data location becomes more complicated. When you move IT assets to IaaS providers, such as Amazon Web Services, Microsoft Azure, Rackspace Open Cloud or Google Compute Engine, you can typically specify the physical locations where the provider stores and processes information. (See: "Data Locality in IaaS.") But in a SaaS deployment, such as Salesforce's customer relationship management or Concur Technologies' business travel and expense management, physical locations are often murkier as providers strive to maintain the flexibility to shift operations around the globe.
Organizations adopting cloud computing services must take steps to ensure that they remain compliant with any data locality compliance obligations that apply to their business or industry. This process may involve properly configuring service settings or working with vendors to obtain contractual assurances. Contracts should specify that data will only be located in identified regions and that it will not be stored or processed in black-listed nations.
Security operations in a cloud world
Transferring responsibility for IT operations to cloud service providers also means that your organization may lose insight into security-related activities. For example, service providers will not provide you with direct access to their intrusion detection systems. For this reason, you should carefully consider security incident notification processes before committing to vendor relationships. Contracts with service providers should require that the vendor immediately notify your organization of known or suspected security incidents affecting cloud data.
When your organization chooses a cloud provider, the enterprise security team should understand what security information they can obtain from the service provider and how to incorporate that data into your existing security processes. For example, if the vendor provides detailed logging, is it possible to feed those logs into your existing security information and event management system? If not, how will you monitor those logs for anomalies and store them for future use? The same considerations apply to eDiscovery, API accessibility and anomaly detection.
Keeping the paperwork straight
Adopting cloud computing services increases the complexity of compliance issues and the importance of documenting controls. The easier it is for you to clearly demonstrate compliance with IT laws and regulations, the smoother things will go when the auditors come to town. Maintaining clear, consistent documentation also provides IT management and other leaders with the confidence that the organization is meeting its compliance obligations on an ongoing basis.
Written contracts should govern the use of any cloud computing service in a regulated environment. These contracts should spell out the details of the shared responsibility model negotiated between the organization and its service providers. It may simply reference an agreed-upon compliance guide or dive into the details of specific security and privacy controls.
In either case, you should ensure you have contract language in place that requires vendors to operate services in a manner that facilitates compliance with applicable regulations. The service level agreement should also include language to future-proof the contract. For example, an organization seeking to process credit card data in the cloud should obtain assurances from potential vendors that they will remain compliant with PCI DSS.
You should also retain the right to audit vendor performance against any applicable security regulations. In many cases, you can achieve this objective by requiring that vendors conduct a third-party security assessment -- at their own expense -- and then share the results with you on an annual basis. This audit may take the form of a regulation-specific compliance audit or a more general security assessment conducted under the auspices of the American Institute of Certified Public Accountants' Service Organization Controls (SOC) program.
Using a common framework such as SOC reduces the burden on both customers and vendors by replacing customer-specific audits with a commonly accepted shared approach. Baseline standards that must be met by cloud providers, such as the assessment, authorization and continuous monitoring required by the Federal Risk and Authorization Management Program (FedRAMP) can also help industries beyond government better assess third-party security controls.
Finally, organizations should appoint an individual to compile and maintain compliance records on a routine basis. For example, PCI DSS requirement 12.8 mandates that merchants keep a current list of all service providers they use for the storage, transmission or processing of credit card information. It also requires that merchants maintain written records of how the merchant and service provider cooperate to implement the shared responsibility model. You must ensure that you maintain appropriate documentation that might be required to support your compliance programs.
Even with all the compliance requirements, cloud computing is a tremendous boon to companies around the world, offering a flexible, scalable approach to obtaining infrastructure, platforms and SaaS. Most organizations seeking to adopt cloud computing services hope to realize these benefits. But to do so, you must take steps to ensure service providers implement your cloud services in a manner that maintains compliance with all applicable regulations.
No matter what services you adopt, you can't fully outsource responsibility for information security. As a consumer of cloud services, your organization is accountable for its own actions. The key to compliance is documenting the division of responsibilities.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.