There are many common misperceptions surrounding cloud computing – one of which is that regulatory compliance requirements preclude many organizations from being able to leverage outsourced, managed cloud services. However, working with a reputable cloud service provider can help businesses leverage expertise and processes while mitigating risks.
While risk managers, security professionals and auditors are educated on cloud computing, its capabilities and its limitations, there are a number of false impressions when it comes to compliance issues, according to Jesse Lipson, GM/VP of Data Sharing at Citrix.
“A lot of people assume that cloud computing comes in one shade of grey when in fact cloud computing comes in many different shades of grey,” he says. “In other words, there are a number of different ways to architect a particular cloud offering whether it be a completely private or public.”
While security is often cited as the primary inhibitor of cloud adoption, Lipson says compliance is actually a bigger obstacle toward widespread adoption today.
“In terms of security, you can manage it and there’s a threshold at which an individual or a company is willing to accept a certain risk level,” says Lipson. “On the other hand compliance is usually driven by law, legislation or regulation so there is no choice – if your offering is unable to meet the requirements of the law, chances are you’re not going to be able to provide a useful service.”
Often, the comfort level with cloud services can be as much of an obstacle as the actual compliance requirements themselves, adds Ipswitch (News - Alert) File Transfer’s Jeff Whitney, vice president of global marketing.
“It’s just that some requirements are under the cloud services vendors control. This makes some organizations uneasy,” Whitney explains. “Organizations with large, robust IT infrastructures may be far more uncomfortable with relying on others than smaller organizations. We have numerous small and medium size customers who tell us they can’t get the levels of security, up time and disaster recovery that they can through our cloud services.”
The reality is that cloud platforms cannot only be as secure and capable of meeting regulatory compliance requirements, but in many cases, a cloud solution can help accelerate an organizations ability to achieve compliance requirements and ease the process of maintaining compliance as well, according to Mark Clayman, chief operating officer of TriCore Solutions.
“Cloud providers that are focused on providing a platform to support enterprise applications have made security and compliance a core component of their culture and operations,” Clayman explains. “Because of the potential exposure and the need to support compliance requirements from FERPA to PII to PCI (News - Alert) to HIPAA, etc. to help organizations move enterprise applications and sensitive data to the cloud, some providers have become extremely sophisticated at adding additional security services, controls and processes, over and above the basic security and data protection controls, including physical security, logical security, backups, data encryption, two-factor authentication, etc. – all backed by service level agreements that help companies achieve their compliance and regulatory requirements.”
Controls and Shared Responsibility
Having clear accountability of how cloud providers are addressing an organization’s requirements is also critical in achieving and maintaining compliance.
“Service providers need to clearly communicate shared responsibility – where the responsibility of the service provider, as well as the responsibility of the customer, begin and end,” says Lipson. “Customer configurable controls is an example of this, IT admins are able to configure security controls (password control, length complexity, session time-outs, single sign on identity management, mobile device security, etc.) on their end. Organizational and technical compliance responsibilities must be clearly defined and agreed upon. In order to stay compliant, both the service provider and customer need to comply with their own responsibilities.”
Lipson offered the example of a bike helmet company. When the customer makes the helmet purchase, the helmet comes with specific instructions on how to properly wear it. If the user doesn’t follow these specific instructions (their responsibilities), the helmet won’t protect them properly.
“Ultimately it’s about understanding the shared responsibility between the organization and the customer,” he says.
As such, Clayman says it is extremely important for organizations to partner with their service provider to:
- Ensure that both parties completely understand the compliance requirements for a particular environment, determine what technologies, controls and processes need to be put in place to meet these requirements;
- Make sure that the associated logging and reporting is established so that the environment can be properly audited and both an organization and service provider can attest to meeting compliance requirements;
- Clearly define roles and responsibilities between and within the organization and the customer for all elements of the application environment; and
- Create SLAs for the service provider for compliance controls.
Keeping Up with the Times
Staying on top of evolving regulations is part of doing business for cloud providers just as it is for organizations hosting on premise, according to Whitney.
“Service providers have an advantage in that the cost of keeping up with compliance regulations is a part of their core business that they can share across many customers,” he says. “Organizations hosting on premise often have dedicated resources devoted to staying compliant.”
Keeping compliance professionals, legal counsel and advisors close is a good way to stay on top of the compliance regulation evolution, Lipson says.
“Approach it in a collaboratively fashion by asking questions like -where are we right now, where do we need to go, and what do we need to do to meet compliance? In other words, the tough questions need to be asked in order to meet compliance,” advises Lipson. “While this may slow the process, it ensures that service providers meet compliance. Another option is to get risk assessment. This will help service providers understand things like how they’re currently managing risk and what is the most prevalent threat to their business model.”
Perhaps even more important for service providers that target customers for their cloud, they should make it a priority to take action and evolve with the regulatory requirements, according to Clayman.
“The approach that service providers take towards service development and the implementation of operational controls should always be managed with a slant towards how will these services be able to help their customers achieve and maintain regulatory requirements,” he says. “In order to achieve this, service providers need to have a function within their organization that is solely focused on security and compliance and then ensure that there is an internal process where the implementation or changes to controls or the development or changes to services being provided are properly vetted by this function.”
Achieving Compliance in the Cloud
Achieving compliance in the cloud depends on many factors – an organization required to achieve PCI Level 1 has different needs from an organization that needs to achieve PCI Level 4 – which has different needs from an organization that needs to be FERPA compliant and has different needs from an organization that is publicly traded, which must comply with state, local and federal government requirements, explains Clayman.
“While many of these groups will require the same basic security and data protection controls in regards to physical and logical security, backups, encryption, separation of duties, operating system hardening, password policy controls, etc. from there, the services required will take different paths to achieving various compliance requirements by implementing combinations of more advanced security services, such as application firewalls, intrusion detection systems, log monitoring, vulnerability assessments, reporting, etc.,” he says.
The challenge of achieving compliance in the cloud is largely the same as achieving compliance on premise, but with dedicated experts supporting compliance efforts in the cloud, according to Whitney.
“Also unique in the cloud is that individual organizations’ service environments must be adequately isolated from one another to comply,” he says.
Technical compliance is another key element – such as apps that enable workflow automation without the user having to do anything, adds Lipson.
“When an app is compliant, the end user doesn’t have to even worry about whether or not their actions are meeting those requirements, it’s simply baked into the workflow,” he says. “Another element is that the whole stack needs to be accredited, achieving the same certification – not just the organization, but the data centers as well.”
Edited by Alisen Downey