This is much to the chagrin of the compliance department, which wakes up in a cold sweat thinking about data security. Experts agree, however, that by conducting due diligence, companies can minimize their cloud-related risk and maintain compliance in the cloud.
"Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what they'd do on-premises," said John Howie, chief operating officer of the Cloud Security Alliance.
But enterprises are limited in how they can conduct this due diligence. For example, a cloud provider audit may not be possible because the provider doesn't want hordes of customers tromping through its data centers. Penetration testing could also shut down an enterprise's service because the cloud provider could view it as a legitimate attack, Howie said.
Because physical audits sometimes aren't possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. The ISO/IEC 27001:2005 certification provides a definition for how to run an information security management system. It does not, however, say whether "you're particularly good at it, and it doesn't say that you have the controls in place [that] are actually working," Howie cautioned. "It just certifies that you have an information security system that understands these problems and is trying to improve."The SOC 2 certification, which is the replacement for SAS 70 and is based on the audit standard AP 101, contains the five "SysTrust" principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie.
"Privacy is a little bit of a misnomer, because it's not privacy of the customer's data," he said. Rather, it means the privacy of the cloud provider's customer, not the customers of the company that signs up for service.
To ensure the cloud provider's controls are adequate and working, SOC 2 requires an audit by a large firm. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said.
Ask providers relevant questionsBefore choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure they'll stay on the right side of regulators. "It's about asking questions around what arrangements are going to be in place to protect your information … from the creation stage to the processing, the storage, the transmission and, of course, destruction," said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end, and organizations need to know what will happen to their data when that occurs, he added.
Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and whether data should be encrypted before being transmitted to the cloud service, he added.
Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers' data in colocation situations.
Finally, companies should check on the status of the cloud provider's insurance, McMillan said. For example, if there's a security breach, it's important to know if the provider will indemnify the customer and pay for the notifications, he said.
Beware the fine print during contract negotiationsThe due diligence doesn't stop at the negotiating table. There is no one provision to include in the contract to maintain compliance in the cloud, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP.
More on compliance in the cloud and securityUse cloud SLAs to reduce risk, improve data recovery processes
Risk management approach needed to offset cloud security concerns
Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example.
One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. "Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach," he said.
Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. "They're not going to be a successful cloud service provider without being sensitive to customer concerns in those areas," he said.
About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.
Let us know what you think about the story; email Ben Cole, associate editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.