There are a number of regulations that apply to systems being built in the cloud. Some are industry specific, some are specific to the type of data and transactions that are being processed, and others are standards for any cloud-based system. For companies building software in the cloud, there are two parties that have a responsibility to adhere to compliance: the CSP and the company building the applications. The fact that a company like Amazon Web Services (AWS) is certified for the ISO 27001 standard does not make the applications built on top of AWS compliant. It simply means the infrastructure layer can pass the audit. The company building and managing the application stack and application layer has to have all of the proper controls in place to ensure that the entire application can pass the audit. Table 7.1 offers a list of some of the regulations that can come into play when building cloud services.
Table 7.1Regulations and Controls Audit Category Description
ISO27001 Software Internationalcomputer system standards for SSAE-16 Security Controls for finance, security, and
privacy Directive
95/46/ec Security
European security and privacy controls
Directive
Audit Category Description
SOX Financial U.S. public company financial accountability controls
PCI DSS Credit Card Security and privacy of credit cardinformation HIPAA Health Security and privacy of health care
information
FedRAMP Security U.S. government security standards for cloud computing
FIPS Software U.S.computer systemsgovernment standard for FERPA Education Security and privacy of education
information
To pass audits pertaining to software best practices, security, and privacy, a company must have controls and processes in place in the following categories:
• Incident management • Change management • Release management • Configuration management • Service level agreements • Availability management • Capacity planning • Business continuity • Disaster recovery • Access management • Governance • Data management • Security management
This is another reason the myth that cloud solutions are not secure is completely false. In order to become certified for the standard regulations for cloud computing, a company must pass audits by implementing approved processes and controls in all of these categories. Many on-premises solutions were never held to that same standard. We will discuss some of these categories in detail later in the book.
There are many more regulations that can fall into scope. Each country may have its own laws that must be adhered to, as well. The type of application and the customer base have a lot to do with the regulations that apply. For example, many social media sites do not feel the need to invest in passing various audits. Most simply post terms and conditions of what the company’s responsibilities are and the user accepts them as is in return for using the services. For business-to-business (B2B) companies, adherence to regulations is much stricter. Customers of CSPs that are corporations have much greater responsibility and requirements than individual consumers. For example, an individual using a cloud service like Twitter can choose to opt in and assume the risks as defined in the terms of services or she can choose to not enroll. If an individual opts in, she relies on Twitter to uphold its part of the agreement by keeping her data secure and private. If Twitter fails to do so, there is not much an individual can do other than choose to close her account.
Now let’s look at Chatter, a Twitter-like cloud service for social collaboration within the enterprise. Even though Twitter and Chatter are conceptually very similar services, the risk of a breach of Chatter data is exponentially more serious than Twitter data. The reason is because Chatter is used internally for business discussions and to connect with
customers and suppliers. The information shared using this technology is not for public knowledge. A breach could expose a company’s secrets, upset customers and partners, and create a public relations nightmare for the company. Salesforce.com, the company that sells Chatter services, must comply with numerous regulations in order to gain the confidence of businesses if they are to become paying customers.
Here is what decision makers need to know when it comes to regulations. For Infrastructure as a Service (IaaS) and PaaS CSPs, gaining certifications for numerous regulations is a key to customer acquisition. Minimally, a CSP should be certified in ISO 27001 and SSAE-16 SOC1 and SOC2. If the provider expects to have health care customers, it should get certified in HIPAA. PCI compliance is critical if the CSP expects any type of application that accepts payments to be run on its infrastructure. There are a variety of government regulations like Federal Information Processing Standards (FIPS) and the Federal Risk and Authorization Management Program (FedRAMP) in the United States that certain government agencies require CSPs to comply with. Often, companies and government agencies leverage private cloud IaaS and PaaS solutions to get around the lack of certifications in the public cloud space. In these cases, the risks far outweigh the benefits of elasticity and resource pooling that are sacrificed when cloud services are performed in a private cloud setting. Recently, public IaaS providers have been getting certified in federal regulations in an attempt to attract business from government agencies. AWS has launched a dedicated region called GovCloud that meets the regulatory requirements of the government and isolates the government applications installed in that region from the rest of AWS’s customers.
This is a semiprivate community cloud running on a public IaaS only for certain government agencies.
For SaaS CSPs, privacy is a key issue because all of the data management is the responsibility of the service provider. Most SaaS contracts have a software escrow provision to account for what happens to the data if the solution is unavailable for a long period of time or if the company goes out of business. The software is deposited in a third-party agent’s escrow account and turned over to the consumer of the SaaS solution if the CSP declares bankruptcy or fails to meet the contractual obligations. CSPs that transfer data across international boundaries must meet the regulatory requirements of the safe harbor law. EU safe harbor law prohibits the transfer of personal information to and from European Union (EU) countries to non-European companies that do not meet the EU standards for privacy. Any SaaS provider hoping to sell to EU countries or customers that integrate with EU customers will have to adhere to EU regulations as well as many of the regulations just listed. The good news is that there is a great deal of overlap in these regulations. The combination of ISO 27001 and PCI regulations are a superset of a majority of the remaining regulatory requirements. Some auditors even have the capability to combine the auditing efforts into a single engagement so that they can audit all of the processes and controls in one pass and produce multiple audit reports, thus reducing the overall cost and time to complete the audits.