Most security and compliance mandates were simply not designed with cloud environments in mind – an unfortunate state of affairs as a huge amount of our data is about to go "cloudwards".
Even recent updates to common compliance mandates such as PCI DSS 2.0 do not adequately address compliance issues when using cloud services. The key benefits of cost saving, agility, collaboration and availability often overshadow the implications of expanding your audit scope to include your chosen cloud provider. How do you guarantee your compliance when moving to the different forms of cloud services?
First, you should understand what responsibilities both you and your cloud service provider have. Software as a Service (SaaS) providers will manage the application and data; therefore you will need to understand if the provider has already achieved their compliant status or whether they supply methods to support your audit. Cloud backup services are good examples of Infrastructure as a Service (IaaS) providers.
Key issues to understand here are what data is passed to the cloud and how the data is protected in transit, as well as what reporting, discovery and restoration options are available. Platform as a Service (PaaS) providers will have a compliance responsibility that extends only as far as the platform level. Compliance responsibility for higher layers, such as operating systems and application data will remain with you, so determining complete audit evidence gathering will be a joint responsibility.
As a general strategy you should assess the impact of adopting cloud services from an audit perspective - how far does your scope extend? Will you be able to provide the correct level of evidence for your audit? Is your data commingled? How are controls implemented and reported upon? Accreditations such as SAS70 and ISO27001/2 certification are valuable for cloud providers, but do not assume they substitute for demonstrating your compliance.
Cloud adoption brings new challenges in the form of service level agreements and legal contracts. Will the service be portable? Are there jurisdictional considerations? What if there is sudden termination of the contract from either party? Early legal assessments are critical. Ensure your provider offers you the right to audit the service wherever possible and be mindful of provider supply chains within cloud services. Often, cloud providers will use other providers to add extra service features, how will these providers affect your scope?
Given these factors, ensuring compliance when moving to the cloud will be, for many, a challenging journey. Organisations should adopt a multi-layered strategy as they look to embrace the cloud. Ultimately, cloud compliance service brokers will be able to support an organisation's cloud compliance requirements. These brokers will need to support three key areas - a policy engine to govern policy throughout the service supply chain; a protection layer to authenticate users, devices and transactions; and finally a monitoring layer to enable enforcement and reporting on policy. As cloud compliance brokerage services will not be mainstream for some time, one of the best ways to address compliance concerns in the interim is to engage with auditors that understand the issues you're trying to overcome. Such "cloud conscious auditors" should be able to help you navigate your journey towards cloud with minimal risk to your compliance.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².
This was first published in March 2011