There are a number of regulations that apply to systems being built in the cloud. Some are industry specifi c, some are specifi c to the type of data and transactions that are being processed, and others are standards for any cloud-based system. For companies building software in the cloud, there are two parties that have a responsibility to adhere to compliance: the CSP and the company building the applications. The fact that a company like Amazon Web Services (AWS) is certifi ed for the ISO 27001 standard does not make the applications built on top of AWS compliant. It simply means the infra-structure layer can pass the audit. The company building and managing the application stack and application layer has to have all of the proper controls in place to ensure that the entire application can pass the audit. Table 7.1 offers a list of some of the regulations that can come into play when building cloud services.
To pass audits pertaining to software best practices, security, and privacy, a company must have controls and processes in place in the following categories:
■ Incident management
■ Change management
■ Release management
■ Confi guration management
■ Service level agreements
■ Availability management
■ Capacity planning
■ Business continuity
■ Disaster recovery
■ Access management
■ Governance
■ Data management
■ Security management
This is another reason the myth that cloud solutions are not secure is completely false. In order to become certifi ed for the standard regulations for cloud computing, a company must pass audits by implementing approved processes and controls in all of these categories. Many on-premises solutions were never held to that same standard. We will discuss some of these catego-ries in detail later in the book.
Table 7.1 Regulations and Controls
Audit Category Description
ISO27001 Software International standards for computer system SSAE-16 Security Controls for fi nance, security, and privacy Directive 95/46/ec Security European security and privacy controls Directive 2002/58/ec Security European e-privacy controls
SOX Financial U.S. public company fi nancial accountability controls
PCI DSS Credit Card Security and privacy of credit card information HIPAA Health Security and privacy of health care information FedRAMP Security U.S. government security standards for cloud
computing
FIPS Software U.S. government standard for computer systems FERPA Education Security and privacy of education information
There are many more regulations that can fall into scope. Each country may have its own laws that must be adhered to, as well. The type of applica-tion and the customer base have a lot to do with the regulaapplica-tions that apply.
For example, many social media sites do not feel the need to invest in passing various audits. Most simply post terms and conditions of what the company ’s responsibilities are and the user accepts them as is in return for using the services. For business-to-business (B2B) companies, adherence to regulations is much stricter. Customers of CSPs that are corporations have much greater responsibility and requirements than individual consumers. For example, an individual using a cloud service like Twitter can choose to opt in and assume the risks as defi ned in the terms of services or she can choose to not enroll. If an individual opts in, she relies on Twitter to uphold its part of the agreement by keeping her data secure and private. If Twitter fails to do so, there is not much an individual can do other than choose to close her account.
Now let ’s look at Chatter, a Twitter-like cloud service for social collabora-tion within the enterprise. Even though Twitter and Chatter are conceptually very similar services, the risk of a breach of Chatter data is exponentially more serious than Twitter data. The reason is because Chatter is used internally for business discussions and to connect with customers and suppliers. The infor-mation shared using this technology is not for public knowledge. A breach could expose a company ’s secrets, upset customers and partners, and create a public relations nightmare for the company. Salesforce.com, the company that sells Chatter services, must comply with numerous regulations in order to gain the confi dence of businesses if they are to become paying customers.
Here is what decision makers need to know when it comes to regulations.
For Infrastructure as a Service (IaaS) and PaaS CSPs, gaining certifi cations for numerous regulations is a key to customer acquisition. Minimally, a CSP should be certifi ed in ISO 27001 and SSAE-16 SOC1 and SOC2. If the provider expects to have health care customers, it should get certifi ed in HIPAA. PCI compliance is critical if the CSP expects any type of application that accepts payments to be run on its infrastructure. There are a variety of government regulations like Federal Information Processing Standards (FIPS) and the Fed-eral Risk and Authorization Management Program (FedRAMP) in the United States that certain government agencies require CSPs to comply with. Often, companies and government agencies leverage private cloud IaaS and PaaS solutions to get around the lack of certifi cations in the public cloud space. In these cases, the risks far outweigh the benefi ts of elasticity and resource pooling that are sacrifi ced when cloud services are performed in a private cloud setting.
Recently, public IaaS providers have been getting certifi ed in federal regulations in an attempt to attract business from government agencies. AWS has launched a dedicated region called GovCloud that meets the regulatory requirements of the government and isolates the government applications installed in that
region from the rest of AWS ’s customers. This is a semiprivate community cloud running on a public IaaS only for certain government agencies.
For SaaS CSPs, privacy is a key issue because all of the data management is the responsibility of the service provider. Most SaaS contracts have a soft-ware escrow provision to account for what happens to the data if the solution is unavailable for a long period of time or if the company goes out of business.
The software is deposited in a third-party agent ’s escrow account and turned over to the consumer of the SaaS solution if the CSP declares bankruptcy or fails to meet the contractual obligations. CSPs that transfer data across international boundaries must meet the regulatory requirements of the safe harbor law. EU safe harbor law prohibits the transfer of personal information to and from European Union (EU) countries to non-European companies that do not meet the EU standards for privacy. Any SaaS provider hoping to sell to EU countries or customers that integrate with EU customers will have to adhere to EU regulations as well as many of the regulations just listed. The good news is that there is a great deal of overlap in these regulations.
The combination of ISO 27001 and PCI regulations are a superset of a major-ity of the remaining regulatory requirements. Some auditors even have the capability to combine the auditing efforts into a single engagement so that they can audit all of the processes and controls in one pass and produce multiple audit reports, thus reducing the overall cost and time to complete the audits.