Edited by Ginger Flores
Cloud computing has arrived, and efforts to reduce IT costs in 2009 will accelerate the adoption of cloud computing services, elevating a host of risk management and security questions for organizations wrestling with compliance requirements.
Cloud Computing Service Types
The first challenge facing compliance for cloud services is defining the type of cloud service being used. Today, most services are:
- Multi-tenant applications delivered from a cloud infrastructure. Examples include software-as-a-service (SaaS) applications for customer relationship management, like Salesforce.com, or an HR-ERP application like Netsuite.
- On-demand services, such as processing or storage in the cloud. Examples include Amazon EC2 or S3, and others.
- Development environments sharing a cloud infrastructure, such as Force.com from Salesforce.com, or AppEngine from Google.
The Compliance Lifecycle
Achieving and maintaining compliance for Gramm-Leach-Bliley (GLBA), PCI DSS, HIPAA and other regulations is best managed with a lifecycle approach. The phases of a typical high-level compliance lifecycle are:
- Understanding the regulations.
- Understanding the data. Identify and inventory sensitive information you own, where it’s transmitted, processed and stored—internally by you, or externally by a data custodian or service provider.
- Regularly assessing and auditing environment and security controls.
- Remediating control deficiencies.
- Repeat at intervals required by your industry, regulators, or auditors.
The challenge in managing compliance for cloud computing services is gaining the required level of assurance for infrastructure owned and managed by somebody else that processes, transmits or stores sensitive information you own.
Understand the Regulations and the Data
A key compliance goal is determining exactly where sensitive information covered by compliance regulations is processed, transmitted and stored, inside or outside of an organization. In most organizations it’s a difficult exercise to identify every touchpoint for covered compliance data. However, the required controls infrastructure cannot be vetted until this inventory is complete.
Regulatory requirements are translated into a general set of controls to monitor and measure compliance, and specific guidance often adds more detail. A regulatory challenge for cloud computing services is the unwritten assumption that meeting control objectives is as simple as implementing and managing a security control. Unfortunately, with HIPAA, PCI DSS, GLBA and others, sharing the infrastructure of a cloud service complicates matters. Defining and implementing controls in a cloud infrastructure means sharing with other customers and service consumers—conflicts are inevitable. Cloud service providers have contracts and SLAs to govern how they operate their service, and the commitments they make to customers.
Regulations and Service Visibility
A sound risk management program for cloud computing services requires current knowledge of the regulatory environment coupled with visibility into the service provider’s countermeasures to properly assess the adequacy of their controls.
It takes vigilance to stay current on the regulatory environment. It is not static and periodically changes regulations or adds interpretative guidance. PCI 1.2 is an example of regulatory changes, with updated protections for Web-based applications and cloud-based cardholder data. GLBA, HIPAA or SOX levy more general requirements for covered entities to protect personally identifiable or sensitive financial information.
These more general regulations pre-date cloud computing and change infrequently but interpretative guidance is released with more regularity. Interpretative guidance is published by enforcement agencies, such as the Federal Trade Commission (FTC), the Federal Deposit Insurance Corp. (FDIC) or the Comptroller of the Currency. Security and risk management frameworks such as CobIT and ISO 27001 pre-date cloud-based computing and future versions may include updated requirements or new guidance addressing unique cloud-based vulnerabilities.
Applying current knowledge of the regulatory environment to assessing a cloud-based service requires some visibility into the provider’s processes and infrastructure. This PCI DSS 1.2 example illustrates this challenge:
Your organization uses a cloud service for data storage, including sensitive cardholder information covered by PCI. PCI DSS requirement 1.1.6 requires firewall and router rules to be reviewed at least every six months. As the organization bound by PCI, you need access to the cloud-based firewall and router rule sets used by the cloud service provider. You have must have a process in place to ensure that this review occurs at this frequency. Your PCI assessor will insist upon examining your review process and the rules themselves.
Will the cloud service provider provide this degree of access to their clients?
Regular assessments and audits identify potential gaps in meeting updated regulatory requirements, or in protections for new cloud computing initiatives. In a worst-case, they can detect breaches, and all regulations require owners of covered compliance information to perform regular audits of data custodians or processors, including any additional risks posed by SaaS-multi-tenant environments.
The SaaS version of cloud-based computing is a double-digit growth market. Central corporate functions, or business units and departments, may be adding SaaS applications that process and store sensitive personal or financial information. These cloud-based additions may need updates to written policies and procedures, and new security controls.
Regulatory changes impacting cloud-based sensitive information may be more important than compliance updates inside trusted enterprise networks. Regulations are designed to be technology independent, to apply across evolving architectures and changing infrastructures. They were developed during the era of proprietary datacenters and mature audit criteria exist for almost all conditions encountered inside trusted enterprise networks. Audit criteria for sensitive cloud-based information and systems are comparatively immature or non-existent
Regular assessments can create backlogs for risk managers of busy cloud-based data custodians. Check service level agreements for language governing scheduling and conducting assessments. Also, different regulations levy unique and even overlapping assessment requirements and schedules. It is in the interest of all parties for these conflicting requirements to be mapped and unified, along with schedules, for external and internal audits and assessments.
Technical controls enforce compliance policies governing access and security for sensitive cloud-based applications and storage. Cloud computing must have the same level of risk management and technical controls as the owner of sensitive personal or financial information provides inside its trusted network, the objective of the PCI 1.2 firewall rules example above. The data owner is responsible for exercising due care in establishing the risk management environment for sensitive cloud-based applications and data, and due diligence in the execution of security controls.
Trusted network and cloud-based controls for sensitive applications and data should provide the same level of authentication, password strength and management, access, authorization, network and host-based intrusion detection and prevention, malware detection and remedies of all types, perimeter defenses, encryption in communications and storage, data loss prevention, secure endpoints, business continuity and much more.
Mutual Assured Remediation
Remediation of any deficiencies identified in assessments or audits of sensitive cloud-based systems and information must be agreed to by both parties. Read the fine print in the service level agreement to understand how remediation is managed—if it’s mentioned at all. The level of risk management and security provided by cloud-based services varies and is improving. Some SaaS vendors have experienced many data custodian audits and can demonstrate strong compliance programs, others less so. Remediating any deficiencies you may find likely will be a negotiation. As with all compliance issues, as the data owner you are responsible for properly managing all risk.
Vendor assessments, and any subsequent remediation steps, are critical to sound risk management of cloud-based services. Auditors also know they are beyond the control of most users of cloud computing services, creating an obvious target as companies add more cloud computing—a topic we’ll examine in more depth in a future article.
Comments & Feedback
Please visit www.complianceresearchgroup.com.