Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cloud provider research, due diligence needed to maintain compliance

In this tip, learn the information you need when choosing a cloud provider to ensure regulatory compliance and protect vulnerable company data.

Organizations generate more data than ever before through applications, email and other computing tasks. Faced with flat IT budgets, companies are turning to the cloud for storage, software and infrastructure.

This is much to the chagrin of the compliance department, which wakes up in a cold sweat thinking about data security. Experts agree, however, that by conducting due diligence, companies can minimize their cloud-related risk and maintain compliance in the cloud.

"Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what they'd do on-premises," said John Howie, chief operating officer of the Cloud Security Alliance.

But enterprises are limited in how they can conduct this due diligence. For example, a cloud provider audit may not be possible because the provider doesn't want hordes of customers tromping through its data centers. Penetration testing could also shut down an enterprise's service because the cloud provider could view it as a legitimate attack, Howie said.

Check cloud provider certification

Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what they'd do on-premises.

John Howie,
COO, Cloud Security Alliance

Because physical audits sometimes aren't possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. The ISO/IEC 27001:2005 certification provides a definition for how to run an information security management system. It does not, however, say whether "you're particularly good at it, and it doesn't say that you have the controls in place [that] are actually working," Howie cautioned. "It just certifies that you have an information security system that understands these problems and is trying to improve."

The SOC 2 certification, which is the replacement for SAS 70 and is based on the audit standard AP 101, contains the five "SysTrust" principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie.

"Privacy is a little bit of a misnomer, because it's not privacy of the customer's data," he said. Rather, it means the privacy of the cloud provider's customer, not the customers of the company that signs up for service.

To ensure the cloud provider's controls are adequate and working, SOC 2 requires an audit by a large firm. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said.

Ask providers relevant questions

Before choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure they'll stay on the right side of regulators. "It's about asking questions around what arrangements are going to be in place to protect your information … from the creation stage to the processing, the storage, the transmission and, of course, destruction," said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end, and organizations need to know what will happen to their data when that occurs, he added.

Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and whether data should be encrypted before being transmitted to the cloud service, he added.

Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers' data in colocation situations.

Finally, companies should check on the status of the cloud provider's insurance, McMillan said. For example, if there's a security breach, it's important to know if the provider will indemnify the customer and pay for the notifications, he said.

Beware the fine print during contract negotiations

The due diligence doesn't stop at the negotiating table. There is no one provision to include in the contract to maintain compliance in the cloud, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP.

More on compliance in the cloud and security

Use cloud SLAs to reduce risk, improve data recovery processes

Risk management approach needed to offset cloud security concerns

"If you outsource to a third-party cloud service provider to handle or store personally identifiable, financial or healthcare information that's regulated in any way, the law has a non-delegable duty that you can't just outsource these legal responsibilities," Scott said. Even changes to payment card industry compliance standards, which now apply to third-party services, do not absolve enterprises of maintaining regulatory compliance in the cloud, he said.

Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example.

One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. "Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach," he said.

Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. "They're not going to be a successful cloud service provider without being sensitive to customer concerns in those areas," he said.

About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.

Let us know what you think about the story; email Ben Cole, associate editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Managing governance and compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The comment made: "The ISO/IEC 27001:2005 certification provides a definition for how to run an information security management system. It does not, however, say whether "you're particularly good at it, and it doesn't say that you have the controls in place [that] are actually working," Howie cautioned". Is totally wrong and inaccurate
An ISO 27001 audit does in fact ensue the proper controls are in place and that they are working properly. It also in fact points out and documents deficiencies (in more detail than SOC2). An organization must also take corrective action to correct those deficiencies or face loosing their certification. Another inaccuracy is that SOC2 is NOT a certification. It is an attestation. STAR Certification and STAR Attestation (while not mentioned here) increase the rigor of both and many hundreds of man hours put in by the CSA OCF team and its volunteers are not given credit here for whatever reason. The OCF is a concerted effort to increase transparency in the cloud.