When a company's applications reside on its on-premises servers, the company is solely responsible for fulfilling...
regulatory compliance requirements. The business may move applications and data to the cloud, but it can't shift all compliance responsibility. There's no escape, and that's why a complete understanding of cloud providers' and application owners' regulatory compliance requirements is a must.
A company can leverage the off-premises IT function to reduce the considerable effort involved in fulfilling regulatory compliance requirements. However, compliance only occurs when the company does its due diligence in examining a number of cloud service providers (CSPs), followed by a wise selection. Without that research, satisfying compliance responsibilities becomes a nightmare. Dealing with regulatory compliance is a primary reason why companies stay away from public clouds.
Breaking down regulatory compliance responsibilities
All of the compliance standards include a strong dose of security requirements along with information confidentiality, integrity, availability, authentication, auditing and logging and change management. This is the case for regulations such as Sarbanes-Oxley Act (SOX) of 2002, Payment Card Industry (PCI) of 2004, and Federal Risk and Authorization Management Program (FedRAMP).
Regulatory compliance in the cloud can be broken down into several key areas that include data privacy, information security, various government regulations, industry-specific regulations (HIPAA, PCI, etc.) and more. Some regulatory requirements are more important for one regulation than another, but in some way, the necessary actions are common to many of the compliance regulatory standards that have been enacted.
- Confidentiality: Information must be kept confidential to prevent unauthorized parties from accessing it.
- Integrity: Records should not be modifiable by unauthorized people or entities.
- Availability: Systems need to be designed to properly handle errors and withstand denial-of-service attacks.
- Authentication: This involves making information available only to authorized individuals and maintaining resistance to denial-of-service attacks.
- Auditing and logging: Software systems must generate all of the necessary logging information to construct a clear audit trail that shows how a user or entity attempts to access and use resources.
- Change management: Change management plays a role in compliance from an audit perspective and operationally to ensure that all changes meet established policies and the provisions for related regulations.
Compliance requirements vary by cloud type
Regulatory compliance implications and sharing of responsibility for off-premises cloud computing are primarily driven by the type of information in the cloud and on the type of services model chosen (public IaaS, public PaaS, or public SaaS). While we are focused on IT organizations moving to a public IaaS, take a look at responsibilities for compliance between a cloud service provider (CSP) and a company with respect to cloud service model. The level of responsibility across the cloud service models generally shifts toward the customer as the customer moves from SaaS to an IaaS service model.
- Public IaaS
- Company controls data and applications
- Company shares virtual server control
- CSP controls physical servers, storage and networks
- Public PaaS
- Company controls data
- Company shares control of applications and virtual servers
- CSP controls physical servers, storage and networks
- Public SaaS
- Company shares control of data
- CSP controls applications, virtual servers, physical servers, storage and networks
Get clarity about sharing compliance responsibilities
With respect to a public IaaS model, the CSP relieves the customer of an operational burden, operating, managing and controlling components from the host operating system and virtualization layer down to the physical security of the CSP facility. The company has responsibility for the data, applications, solution stack, guest operating systems, antivirus software, firewalls, data encryption, application security, change management, etc. The company allocates the virtual servers and the virtual resources needed. This is very similar to an on-premises model except the CSP has control of the physical servers, storage, network, where the data is stored and the physical security of the CSP installation.
A company that is moving some portion of its IT function to a CSP needs to fully understand the level of visibility that it will have into compliance management responsibilities and activities that are outside its direct control. The company should examine CSPs that it is considering engaging to ensure that the CSP selected can meet the company's security and operational needs, such as PCI DSS compliance validation, before signing any type of agreement with the CSP.
The company should understand its rights to availability with its CSP to determine how the CSP can provide ongoing assurances that required controls are in place. Organizations should use continuous monitoring for visibility into which services the CSP is providing related to regulatory and operational requirements. The flow-through of a company's customers' regulatory requirements as embedded into contracts is often overlooked. These requirements should also be taken into consideration when negotiating with CSPs.
When sharing IT responsibilities with CSPs, the company must contend with several issues:
- Clarification of security responsibilities: A company that migrates regulated data to a public cloud environment will have to rely on its CSP for some of its compliance measures. The discussion around cloud services models shows how the division of security is imagined.
- Address location of data requirements: Some regulations stipulate where sensitive information can and cannot reside. U.S. government agencies need to be assured that the CSP will not store or manage information in facilities outside the U.S. In other cases, a company may require that data be stored within the boundaries of the specific country's borders.
- Protection against internal threats: A company may have to guard against insider threats from internal malicious administrators and guard against unauthorized migration of virtual servers to other virtual servers. Sensitive data should not be left on an unauthorized server.
- Security policy enforcement: The company and the CSP must have visibility over the enforcement of security policies.
Don't forget these side issues
The regulatory requirements that you have to worry about in the cloud are generally the ones that you have to worry about when they are on-premises. But there are other issues that you have to worry about, which can be addressed with these questions: Where is my data stored? Can I trust the CSP with my data? If I need it quickly, can I get it?
A CSP that is compliant certified with the regulations you need does not automatically make the company compliant with the regulations.
Compliance is viewed as a big obstacle toward widespread cloud adoption, and rightly so. It is driven by law and legislation so there is no choice but to comply. Some compliance requirements are under the CSP's control. A CSP can help a company achieve compliance requirements and ease the process of maintaining compliance, but the company must carefully select the CSP. CSPs such as AWS that are focused on providing a platform to support enterprise applications have made security and compliance a core component of their operations.
Compliance responsibilities in an on-premises IT organization and an off-premises cloud environment should not be treated as a one-time occurrence, but as an ongoing process to be managed and monitored. It stems from balancing a generally monolithic regulatory environment with the fluid technology environment that is the cloud. The regulatory requirements change slowly so IT organizations need to be prepared for disconnects between that environment and the technologies that they are intended to regulate. This disconnect can cause a heightened sense of concern from regulators as well as regulations that fail to address emerging challenges.
About the author:
Bill Claybrook is a marketing research analyst with over 35 years of experience in the computer industry with the last dozen years in Linux, open source and cloud computing. Bill was research director, Linux and Open Source, at The Aberdeen Group in Boston and a competitive analyst/Linux product-marketing manager at Novell. He is currently president of New River Marketing Research and Directions on Red Hat. He holds a doctorate in computer science.