Tip

Twelve ways to keep your cloud strategy compliant

In my recent piece on cloud compliance complexities, I discussed the changes -- and challenges -- that cloud computing presents to enterprise organizations. To be sure, there are a number of serious compliance issues you need to consider as you roll out your cloud strategy.


Kevin Beaver

Based on observations in my own work and discussions with compliance and IT-centric attorneys, here are the questions you should ask if you’re going to maintain a sound cloud compliance strategy:

    Requires Free Membership to View

1. How are your cloud computing providers addressing industry-specific requirements for health care, finance, retail and so on? Do your cloud computing providers employ compliance experts in your industry?

2. Do your cloud computing providers have locations in various jurisdictions? Does the location of your system impact any compliance requirements (i.e. across state lines or international boundaries)?

3. How are information classification, retention and destruction being handled? The cloud provides a great opportunity for additional data breaches -- even after your data has been “destroyed.”

4. What does your privacy policy say? Can you honestly say that your privacy policy can accommodate the security/privacy issues associated with of all your cloud computing providers?

5. Who owns your data? What are the cloud computing provider’s rights for handling your data? What about your rights to access your data when you need it? If these aspects are not spelled out up front, you could be asking for trouble -- another reason to get your legal counsel involved when developing your cloud strategy.

6. Will data be co-mingled (located with other customer data in the same database behind the same Web applications)? Co-mingling of data can lead to serious security breaches: All it takes is one security flaw in the cloud to put not only another business’s data at risk, but your data too.

Don’t be afraid to ask the hard questions when developing your cloud strategy.

7. How are security assessments addressed? Can you use your own scans at will or do you have to rely on someone else’s audit report that’s undoubtedly going to miss a lot of application-level issues? At a minimum, you should ask to see their most recent security assessment report.

8. What are your service-level agreement (SLA) metrics? How are you (or your cloud computing provider) going to measure their performance? Is uptime -- and therefore business continuity -- all you need? What about patching, system monitoring and so on?

9. Do you truly understand the resilience of your cloud computing providers? What’s going to happen when there's a breach? Are everybody’s expectations set regarding who’s responsible for what? Reviewing providers' independent security assessment reports, as well as their disaster recovery and incident-response plans, is crucial.

10.  Have you asked your attorneys how your cloud strategy is going to impact your contracts, policies, SLAs and so on? Was their answer to simply address these items via contracts and policies? Remember: What’s on paper does not necessarily reflect reality, nor can it prevent a security breach.

11.  What other protective controls do you have in place both on the technical side and on the legal side? Can you cancel your contract based on X, Y or Z performance or security issues?

12.  What’s going to happen when your cloud computing provider is acquired by another company?

Laws and lawyers, in and of themselves, are not going to protect your data in the cloud. It’s up to you to ask these kinds of questions to ensure that reasonable controls are put in place and properly maintained. Don’t be afraid to ask the hard questions when developing your cloud strategy. Otherwise, your cloud computing providers may just keep moving forward without your business’s best interests in mind.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.

This was first published in February 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.