BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
From GDPR to HIPAA to PCI-DSS, there's an alphabet soup of regulatory compliance requirements that information security professionals have become intimately familiar with. When you add cloud infrastructure and services to the mix, an already complex balance of business drivers and legal needs gets even more difficult.
In this video, expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, outlines legal requirements and considerations for those consuming or providing cloud services. In particular, Gordon highlights some of the challenges cloud security professionals can encounter when a cloud service is accessed from or serves multiple countries or regions, each with a unique set of cloud security standards.
For instance, the European Union has famously stringent regulations around data privacy. A cloud provider operating in North America that serves international customers must be mindful of regional cloud security standards, Gordon notes. Likewise, a cloud security professional at an EU-based enterprise considering working with a North American cloud provider needs to ensure such services meet their legal requirements.
"If we are consuming in geography A versus geography B and/or geography C, there may be very different legal requirements or expectations and accountability and responsibility conversations around what may or may not be allowed, under what conditions we may or may not be able to operate or consume data or use the cloud," Gordon explains. "As a result, we cloud security professionals have to be knowledgeable about the legal requirements in the areas we're being asked to operate in."
The following is a full transcript of Adam Gordon's video.
CCSP® is a registered mark of (ISC)²
Transcript - Consider international cloud security standards, legal reqs
Hello, and welcome to the Understanding Legal Requirements and Unique Risks within the Cloud Environment discussion. In our conversations in this section, we'll be going through and talking about international legislation and the conflicts that may associate with that in terms of business requirements, operational requirements, things that may happen when you operate in one area of the cloud, but also then have liabilities and exposure in another area, because customers may consume data across boundaries. Appraisal of legal risks specific to cloud computing, e-discovery, forensics requirements and legal controls. We'll be going through these areas as part of our conversation on the topical environments within this particular area.
Balancing convenience and cloud security standards
So when we begin and think about how we're going to start framing this discussion, the slide on the screen in front of you has a graphic that shows an arrow that's kind of arcing off to the right. We see at the bottom there, simplicity and convenience of technology. We then see a slightly larger bullet point with legal complexities, we'll move up towards the arc of the arrow. The idea is to really help us to understand and frame in our minds the conversation about the fact that while consumption from a simplicity and convenience of technology perspective, it's really one of the key drivers of the cloud. The cloud enables us to be able to consume technology quickly, scale up as we've talked about with elasticity, scale down and scale out as required.
We've talked about the fact that the cloud is ubiquitous. It is everywhere today. There's broad network access. We can get to it and use it from almost anywhere under almost any circumstance. It reduces costs for us because it allows us to consume on demand, but also allows us to pay as we go. Really just using the particular resources or the particular areas that we may need, focusing on those, excluding the technology in areas that we may not need, and really just paying for what we are going to consume.
So all those things are simple and convenience points, and those things allow us then to use the technology almost as a force multiplier, to be able to enhance our ability to use, to consume, but to do so in ways that make sense to us individually as customers, to us as a business in the organization and the enterprise. And from a provider perspective, to be able to be focused on providing value, being able to be cost-aware and risk-averse, and to be able to really focus on the needs of the customer, and provide the exact tailored set of solutions or services in an a la carte menu format, that allows customers to consume. So everything is really functional and really focused around simplicity and the technology that drives that.
And we've talked about virtualization. It's one of the underlying values in technologies within the cloud. We've talked about the ability to manage across those areas and across that infrastructure easily using secure software, secure API interfaces to do so. All the things that we've talked about really are focused in this area. The challenge that we bring into the conversation here, and the legal complexity item at the top of the arrow, is really meant to focus us on the idea that while all of that is good from a provider, from a customer perspective, legal issues, legal complexities and cloud security standards have to be brought in as part of the conversation around understanding how to consume successfully, how to measure that consumption, and most importantly how to manage risks.
Legal requirements vary by geography
Because at the end of the day, if we are consuming in geography A versus geography B, and/or geography C, there may be very different legal requirements or expectations and accountability and responsibility conversations around what may or may not be allowed, under what conditions we may or may not be able to operate or consume data or use the cloud. And if we do operate or consume data in the cloud, the cloud security standards may look very different from jurisdiction A against jurisdiction B, or in region or geography C.
Certain countries, for instance, will require under law that we must provide the encryption keys, or at least provide access to encrypted data, in order to store that data within that jurisdiction. Other areas of the world will not provide or will not focus on that particular issue from a legal perspective, and they're not going to mandate, or at least focus on that as a requirement of being able to use or consume cloud services.
Other countries, other areas of the world, may be focused exclusively or very, very carefully and very focused on privacy, not exclusively by any means, but one of the key areas and drivers within the conversation about cloud security standards. So, for instance, in the European Union, the great focus, as we've talked about in some areas of the class and discussions already, on personal identifiable information, on PII, and privacy-related issues is well known. The European Union has some of the most stringent and really focused privacy laws on the books today with regards to use of information, not just within cloud environments but broadly around protecting the rights of the individual from a privacy perspective, and detailing what those are.
Other areas of the world, other geographies, may not be as focused on that at the level that the EU is today. And so the legal complexities involved with operating cloud environments really have to be front and center for us as cloud security professionals. We have to go through the due diligence and due care exercises of understanding the environments we're asked to operate in, where our customers are consuming, where the providers that we may be interacting with and/or consuming from, are going to base themselves and provide services through. And as a result we, cloud security professionals, have to be knowledgeable about the legal requirements and cloud security standards in the areas we're being asked to operate in.
Untangling legal complexities
We have to be able to be knowledgeable to educate our customers, help them through proper guidance, to understand the requirements and responsibilities they may have. We have to point out issues that they have to be aware of, identify risks that may concern them, and help to document the operational procedures, processes, and requirements, as well as cloud security standards, that will allow them to exist, co-exist in some cases, in multi-tenant environments. But exist or co-exist and consume legally, consume responsibly, and operate responsibly within the cloud. This is where legal complexity comes into the conversation.
So this idea of just building the graphic and creating the arc that shows us that, as we move through simplicity and convenience, we have to be aware of legal complexity, helps to focus our minds as we being our conversations around this idea of the fact that knowledge of the legal operating environment is going to become critical to understanding and managing risks. But also to understand how to manage effectively and operate effectively cloud-based environments today and well into the future as we look ahead.
International legislation and things that we have to be aware of becomes a focal point in this conversation. You know, cloud computing introduces a lot of legal issues and challenges, some of which is security professionals, some of which is practitioner, some of which is the architect, some of which more than one of those audiences or voices may need to just grapple with, struggle with and/or be aware of. And all of these things that are introduced into the mix have to be things that we document, things we discuss, things we plan for when and where we can, when and where appropriate, and certainly identify, document and make aware of, ourselves in the business, as well as the provider's relationship to us with regards to these issues.
So a primary challenge is created by the existence of all the different conflicting legal requirements and cloud security standards that we've been discussing. If you are a business, for instance, hypothetically, that does base itself, primary area or primary focal point for the geography of the business is North America. And as a North American-based business, while we may do business with customers and/or with individuals and businesses that are based in Europe, that's not where we are based as a point of operations. We have no physical or logical presence there. We are still bound by the EU directive on privacy, and as a result, if we handle data from customers or individuals within EU countries, or if we do business with businesses there and they expose customer data to us, as a result of that, we have to bound by the directives on privacy and/or under the Safe Harbor requirements, which we'll talk about a little later on in our conversations.
We have to take appropriate matching steps that are going to indicate to the EU that we, as a business, are taking privacy and the protection of that customer data seriously at a certain minimum threshold level, by certifying that we will be able to do and/or meet certain things, or have certain obligations we take on with regards to management of data, through appropriate contracting vehicles and/or appropriate standards that are met with regards to the data, and the integrity and confidentiality of the data for those customers.
However, same scenario, shift the geography just a little bit. If we are a North American business, again, North American-centric so we're operating within North America but we choose specifically or just through ever whatever the reasons may be, we choose to have no relationship with and do no business with any customers from a European entity that would be a member of the EU, we do no business with and/or have no relationship with any businesses that are based in the EU or have EU-based customers. We would only focus on North American entities and only sell to North American-centric businesses and North American customers, for instance. If that's the case, we don't have the same responsibilities to adhere to the EU directives on privacy with regards to data integrity and data confidentiality for individuals. We have no responsibility to apply, and therefore look to the Safe Harbor requirements in order to standardize our way of matching and dealing with this customer data, to the minimal effect of standards required under the directive.
Business needs vs. legal requirements
And although we may choose to adhere to and may choose to apply those standards because they're good, common sense, they may make sense in our business to raise our level of security to address risks, even though we may not feel that they are always going to be things we have to be focused on, we have no legal requirement to do so. It may be an optional requirement on our part, but it's a business we've decided to take on.
So we have to understand that because of these conflicting issues, concerns and interpretations of where we do business, and as a result, the requirements that come into play. Businesses may have to operate in very distinct ways based on the geographies and based on the areas of the world that they choose to do business in, and/or have customer data that they interact with. And as a result of this, two businesses operating in the same environment but with different customer segments may look very different from a risk, from a legal requirements and jurisdictional perspective. And as a result, their business and their operational issues will be different. They will have different policies, different cloud security standards, different procedures, and different issues that they address as a result of these issues that we're talking about here.