(May 2013) - “The Cloud” – it is a
phenomenon that has become one of the hottest buzzwords in technology
over the past few years. There are myriad benefits to using cloud
computing including easier file backup and storage, the ability to
access information from anywhere in the world, and the power to harness
the cloud to create Anything-as-a-Service (XaaS) solutions for almost
anything conceivable.
Organizations around the world stand to
greatly benefit from cloud computing especially as it offers an
unmatched combination of price and reliability. Hospitals, for instance,
can use cloud computing to drastically reduce costs as well as to
improve patient care. Online video retailers are able to reduce costs by
taking advantage of the greater business scalability afforded by cloud
computing to adapt to spikes in demand. The possibilities are truly
endless.
One of the main draws of cloud computing
is its potential to reduce costs in almost any field by outsourcing
computing resources to a third party provider. These great benefits,
however, do not come without inherent drawbacks. Among others,
regulatory compliance is one of the larger issues facing users of cloud
computing. While cloud computing may simplify many tasks, ensuring
regulatory compliance by default is not one of them. Compared to
physically hosting machines and data on-site, where a company typically
has full control over what is stored, how it is stored, and where it is
stored, an organization that uses a third party cloud computing provider
does not have such control. This can create potential problems from a
regulatory compliance standpoint. The Payment Card Industry Data
Security Standard (PCI DSS) and the Health Insurance Portability and
Accountability Act (HIPAA) are two of the most widely discussed and
implemented regulations that come into play in cloud computing. Another
slightly different angle is brought in by the recent Federal Risk and
Authorization Management Program (FedRAMP) authorization requirements.
PCI DSS
The PCI DSS is a set of regulations that
is responsible for ensuring that companies are handling users’ credit
card data in a secure and responsible manner. There are 12 sections in
PCI that must be complied with; these requirements can be tricky to meet
on their own, but throwing cloud computing into the mix creates an even
more difficult situation. It might be easy to assume that a cloud
company that claims to be PCI compliant is capable of handling credit
card data and that your company can simply switch to their cloud and be
done with PCI compliance. Unfortunately, not all cloud providers are
equal in terms of their level of PCI compliance. A cloud provider that
claims they are PCI compliant may indeed be just that, but they can
specify what portion of its service or product is to be tested for PCI
compliance, which could potentially leave your company short-changed if
you do not possess all the relevant information. A point to consider is
that a cloud provider is simply providing a platform, and it is equally
important to investigate their processes as well as the platform they
provide. The servers and hardware that the provider uses will not
necessarily be PCI compliant, but it is necessary for PCI compliance to
ensure that the provider is implementing the proper safeguards,
segregation of duties, and patching among other things. Proper logical
segmentation is extremely important considering that physical
segregation in a cloud environment is a tricky issue.
In addition to verifying that the cloud
provider is PCI compliant, you also need to ensure that PCI compliance
is being met at your end as well. This includes, but is not limited to,
company security policies, employee awareness training, and system
testing. Customer credit card information must be protected throughout
the entire purchasing process, from point of sale all the way through
the cloud and back.
HIPAA
Every company that works with protected healthcare information (PHI) must follow the rules in place under HIPAA. These are strict rules split into three different sections (administrative, physical, and technical) that are set in place in order to protect patient privacy. These rules mainly pertain to how medical information is collected, handled, protected, used, and disclosed. As in the case with PCI DSS, the burden for HIPAA compliance falls on both you and the cloud computing provider. HIPAA requirements can prove to be even more difficult to comply with in a cloud environment. According to HIPAA, you need to ensure that you have the ability to know exactly where PHI data is being physically stored, how many copies have been made and whether or not the data has been modified. When housing the data yourself this standard is easier to accomplish; however, in a cloud environment this can be more complicated, as you do not have control over or access to cloud hardware. One way around this is to separate your private and non-private data and to only use cloud computing with non-PHI data. Another potential issue with using a cloud computing provider with HIPAA data is guaranteeing that PHI data has been completely eliminated upon request. In a virtualized cloud environment this may not always be feasible, as data and virtual servers are moved around regularly and you may not always be sure that the data has been fully wiped as opposed to deleted, where only the index of the file is eliminated. If making the move to a cloud computing environment, it is very important to discuss how and where data is stored (and if you will have the ability to ascertain this information at any given time), how the data is deleted, and also how the data is encrypted while in transit throughout the network and at rest (another HIPAA requirement).
In all cases, it is not sufficient to rest on the fact that a cloud provider claims to be compliant. It is imperative that a discussion takes place where you are able to obtain details about which portions of the vendor’s services have been tested and deemed compliant. It would be helpful to create a checklist of all requirements and to have your potential service provider dictate which of these requirements are managed by them, which are managed by you, and which are co-managed. Confirm that you fully understand which aspects are maintained by the service provider and what you still need to do in order to be fully compliant. In some cases it may be helpful to discuss this with a third party organization that regularly deals with compliance in order to get an objective opinion on the matter. If a company claims that they can provide a 100% compliant solution, you’re advised to take that with a dose of skepticism and a desire to further investigate based on your organization’s specific compliance requirements. In addition, keep in mind that a fully compliant solution that is managed by both you and your provider does not necessarily guarantee total security. The main goal should be to focus on attaining a comfortable level of security, which results in compliance as a by-product. Protecting your customers should always be the main consideration in any third party service agreement, especially when dealing with cloud computing.
FedRAMP
The new NIST-based FedRAMP authorization is needed for any cloud service provider that intends to provide cloud computing services to Federal government agencies. While this is a requirement from the cloud service provider itself, it might be a good idea for the private sector to look at FedRAMP with a keen eye because it includes a comprehensive control check. Cloud service providers themselves too need to seriously consider preparing along the lines of FedRAMP.
FedRAMP is not a certification by design; it is an authorization to operate. So, effectively, if as a cloud service provider you were to prepare your cloud computing infrastructure along the lines of the FedRAMP requirements, you’re not only compliant with the requirements laid down by NIST and the requirements of FedRAMP itself, you’re quite likely to have covered other information security compliance requirements as well that your customers may come to expect of you. It’s also critical to note that having a FedRAMP compliant infrastructure could enable you to sell cloud computing services to all Federal agencies and serve as a seal of trust and approval for private sector customers as well.
Compliance In The Cloud
The cloud brings with it fresh and lucrative opportunities that businesses the world over can greatly benefit from. However, we do live in a regulated world with strict compliance requirements. Organizations that can find the fine balance between cloud computing and compliance could propel themselves into a new territory of growth and ride the wave in the cloud.
