Moore’s Law states that every two years, the cost of a unit of processing power in a computer system will be reduced by half; as this growth has no intention of slowing down, organizations are always fighting the battle between keeping up to date with emerging technology and ensuring that they are secure and compliant with the many rules and regulations that exist in modern times. When it comes to cloud computing, its many benefits and uses also hold significant challenges for those who are tasked with ensuring CSP compliance with regulations and standards. Contracts usually encompass several aspects and, most notably, the scope of cloud service providers’ products and services, which is often outlined in a contractual document and includes some of the most common service scopes such as service level agreements, cloud support policies, termination policies, disaster recovery and business continuity plans, as well as security and privacy documents, rules, and regulations.
A CSP’s impact on customer data should only be for monitoring and administering cloud services and aiming to resolve cloud-related issues. A CSP, and those enforcing its security standards, should utilize and build reports related to statistical data associated with performance and overall cloud operations, specifically to optimize the customer’s cloud services use. CSP audits must not divulge intrinsic information of customer’s identities or production data on any consumer, yet need to identify threats and weak points in its services and comply with local and government regulations standards. As one can imagine, the ongoing battle between compliance and privacy is never-ending.
Third-party involvement and ownership of intellectual property are particularly challenging in cloud services. Cloud providers generally own every facet of the cloud. However, customers generally own what it provides to the cloud, such as applications developed in cloud infrastructures or customer-supplied data. The third-party may have ownership of data and other cloud components, such as social media, medical and health, real estate, and financial data; these may require separate licensing agreements.
Whether data resides on-premise or in the cloud, it is still the consumer’s data; given this notion, responsibility, security, and privacy obligations cannot be shifted to a cloud provider because they hold the data. Consumers must conduct the necessary due diligence when selecting a cloud provider; they must also ensure that contractual clauses reflect appropriate security standards. Furthermore, they must acquire audit information and other vital data that confirms that cloud providers are on-par with security regulations. All cloud providers need to be in alignment with security standards such as ISO/IEC 27002, Health Insurance Portability & Accountability Act of 1996 (42 USC §1320-d), Gramm-Leach-Bliley Act (15 USC §6801-6809), COPAA (15 USC §6501-6506), and FTC Section 5 (15 USC §45).
Both consumers and providers must agree on security agreements regarding aspects such as physical vs. logical controls, encryption and data masking, access control, intrusion and network security, disaster recovery and business continuity, audits, and the use of subcontractors to handle data. To help CSPs and their customers align with best-practice security methods, FedRamp (Federal Risk and Authorization Management Program) is a U.S. government program that provides a standard approach to security assessments, authorization, and monitoring of cloud services and products. For U.S. federal agencies, FedRamp is a mandatory program that helps ensure transparency between government agencies and cloud service providers, automation in day-to-day operations and service monitoring, proper adoption of secure cloud solutions, and confidence and consistency in the security provided through cloud solutions. HIPPA (Health Insurance Portability and Accountability Act) has its own rules and regulations for data usage and healthcare compliance.
While the fundamental aspects of auditing newer cloud models are somewhat similar to client-server architecture in the past, the vast increase in the amount of data and systems that auditors and security personnel need to secure is quite intimidating. Similar to any IT infrastructure, there is not a one-size-fits-all application to the various CSPs out there; yet, by following the recommendations from organizations and acts such as FedRamp and HIPPA, at least as guidelines, one can ascertain what needs to be audited, what needs to be improved, what risks are present, and how to accomplish all of this under budget. A cloud-service auditor’s job isn’t easy; still, their success in their position can hold great benefits to their organization, ranging from increased sales and productivity, reduced CSP costs, ensuring security/data breaches do not occur, as well as minimizing the risk of hefty fines for not being compliant with the various existing data/cloud regulations and laws.
Amazon. (n.d.) FedRAMP Compliance. Retrieved October 12, 2020, from https://aws.amazon.com/compliance/fedramp/.
Blaisdell, Rick. (2012, November 27). Laws and Regulations Governing the Cloud Computing Environment. Retrieved October 12, 2020, from https://www.rickscloud.com/laws-and-regulations-governing-the-cloud-computing-environment/.
PCI. (n.d.). Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security, and Credit Card Security Standards. Retrieved October 12, 2020, from https://www.pcisecuritystandards.org/pci_security/.