In my recent piece on cloud compliance complexities, I discussed the changes -- and challenges -- that cloud computing presents to enterprise organizations. To be sure, there are a number of serious compliance issues you need to consider as you roll out your cloud strategy.
Based on observations in my own work and discussions with compliance and IT-centric attorneys, here are the questions you should ask if you’re going to maintain a sound cloud compliance strategy:
1. How are your cloud computing providers addressing industry-specific requirements for health care, finance, retail and so on? Do your cloud computing providers employ compliance experts in your industry?
2. Do your cloud computing providers have locations in various jurisdictions? Does the location of your system impact any compliance requirements (i.e. across state lines or international boundaries)?
3. How are information classification, retention and destruction being handled? The cloud provides a great opportunity for additional data breaches -- even after your data has been “destroyed.”
5. Who owns your data? What are the cloud computing provider’s rights for handling your data? What about your rights to access your data when you need it? If these aspects are not spelled out up front, you could be asking for trouble -- another reason to get your legal counsel involved when developing your cloud strategy.
6. Will data be co-mingled (located with other customer data in the same database behind the same Web applications)? Co-mingling of data can lead to serious security breaches: All it takes is one security flaw in the cloud to put not only another business’s data at risk, but your data too.
Don’t be afraid to ask the hard questions when developing your cloud strategy.
7. How are security assessments addressed? Can you use your own scans at will or do you have to rely on someone else’s audit report that’s undoubtedly going to miss a lot of application-level issues? At a minimum, you should ask to see their most recent security assessment report.
8. What are your service-level agreement (SLA) metrics? How are you (or your cloud computing provider) going to measure their performance? Is uptime -- and therefore business continuity -- all you need? What about patching, system monitoring and so on?
9. Do you truly understand the resilience of your cloud computing providers? What’s going to happen when there's a breach? Are everybody’s expectations set regarding who’s responsible for what? Reviewing providers' independent security assessment reports, as well as their disaster recovery and incident-response plans, is crucial.
10. Have you asked your attorneys how your cloud strategy is going to impact your contracts, policies, SLAs and so on? Was their answer to simply address these items via contracts and policies? Remember: What’s on paper does not necessarily reflect reality, nor can it prevent a security breach.
11. What other protective controls do you have in place both on the technical side and on the legal side? Can you cancel your contract based on X, Y or Z performance or security issues?
12. What’s going to happen when your cloud computing provider is acquired by another company?
Laws and lawyers, in and of themselves, are not going to protect your data in the cloud. It’s up to you to ask these kinds of questions to ensure that reasonable controls are put in place and properly maintained. Don’t be afraid to ask the hard questions when developing your cloud strategy. Otherwise, your cloud computing providers may just keep moving forward without your business’s best interests in mind.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.
This was first published in February 2011