With the rapid adoption of cloud computing technologies, IT organizations have found a way to deliver applications and services more quickly and efficiently to their customers, incorporating the nearly ubiquitous utility-like platforms of managed cloud services companies. The use of these cloud technologies are enabling the delivery of messaging platforms, financial applications, Software as a Service offerings, and systems consolidation in a manner more consistent with the speed of the business.
However, audit and compliance teams have been less aggressive in adopting cloud technologies as a solution of choice for a variety of reasons – there may be a lack of understanding of what security components are available in cloud; there may be a concern that the controls in cloud are inadequate for securing data; or, there may be a fear that control over the environment is lost when the application and data move to the cloud. And, while these concerns are understandable, there is an ever-growing recognition of the security and compliance benefits available in managed cloud services that are putting to rest the minds of corporate audit and compliance teams.
Here are five steps you can take to ensure that your audit and compliance team is comfortable with the cloud:
1. Understand and be able to relay the compliance requirements to your cloud service provider. I have worked with organizations in all industries with a wide variety of regulations, and the most successful organizations adopting cloud come with a very in-depth understanding of what security controls and technologies are necessary to meet the compliance of their own organizations. For example, we had a large provider of healthcare services approach us with a request to move a portion of their environment to cloud. This environment contained Patient Health Information (PHI), and the customer knew that, in order to pass their audit, they must be able to:
a) Enforce their own security policies in the new environment including password policies, standard builds, change management, incident handling, and maintenance procedures.
b) Incorporate specific technologies in the environment including file integrity monitoring, intrusion detection, encryption, two-factor authentication, and firewalls.
c) Integrate the security architecture into their already robust security operations processes for multisite event correlation, security incident response, and eDiscovery.
By ensuring that the cloud environment was architected from the very beginning with those controls in mind, the audit and compliance team had very little work to do to ensure the new environment would be consistent with the corporate security policies and achieve HIPAA compliance.
2. Select a cloud provider with a history of transparency in security and policies built into the cloud platform. It is extremely important that the controls in place supporting the cloud infrastructure are consistent with those of your organization or that the cloud provider has the flexibility to incorporate your controls into the cloud environment that will house your data. It is important to note that compliance is not one-size-fits-all. An example of this is the financial industry, where there are very specific controls that must be incorporated into an IT infrastructure, such as data retention, data classification, business continuity, and data integrity. Be sure that the managed cloud services provider is able to incorporate those policies that differ from the standard policies. Key policies and services that are often adjustable for different industries include the following:
a) Data and Backup Retention
b) Data encryption at rest and in transit
c) Business resumption and continuity plans
d) eDiscovery and data classification policies
e) Data integrity assurance
f) Identity and access management
Most organizations maintain a risk management program. If your company has a risk assessment process, include your provider early to ensure that the controls you need are included. If your organization does not, there are several accessible questionnaires that you can tailor to suit your needs. Two great resources are the Cloud Security Alliance (https://cloudsecurityalliance.org ) and the Shared Assessments program (http://www.sharedassessments.org ).
3. Understand what the application, the data, and the traffic flow look like. It is not uncommon for a cloud customer not to understand exactly what data exists in the system and what controls need to be incorporated. For example, one of the early adopter of cloud services I worked with years ago did not know that the application they hosted processed credit card transactions on a regular basis. When they first came to us, they wanted to put their Software as a Service application in the cloud not knowing that one of the uses that a customer of theirs had was to process credit cards in a high-touch retail model – the Payment Card Industry Data Security Standard (PCI DSS) was the furthest thing from their mind. After the end-customer performed an audit, the gaps in security and policies were closed by incorporating those policies and technologies that were made available in the cloud platform. Further, by understanding the transaction and process flow, the customer was able to reduce costs by segmenting the cardholder environment from the rest of the environment, and implemented the more stringent security controls on the environment with the cardholder data
4. Clearly define the roles and responsibilities between your organization and the managed cloud services provider. Some of the roles and responsibilities in a hosted service clearly belong to the hosting provider, and some clearly belong to the customer. For example, in cloud, the underlying cloud infrastructure, its architecture, its maintenance, and its redundancy is clearly the responsibility of the provider; likewise, the application (in many cases) and all of the data maintenance is clearly the responsibility of the customer. However, how an organization assigns roles and responsibilities for everything in between and assigns responsibility for the ongoing compliance of those roles and responsibilities is extremely important to the ongoing management of the compliance program. Remember that some of the controls and security technologies may be in addition to the cloud platform, and your requirements may result in additional services and scope.
5. Gain an understanding of the certifications and compliance you can leverage from your managed cloud services provider. Your managed cloud services provider may have an existing compliance program that incorporates many of the controls that your audit team will require when assessing the compliance of the cloud environment. In many cases, this compliance program, and the audited controls, can be adopted and audited as though they were those of your organization. For example, some cloud providers have included the cloud platform and customer environments in their SSAE 16 (formerly SAS70) program. The SSAE 16 compliance program is audited by a third party, and provides the assurance that the controls and policies that are stated within the provider’s compliance program are in place and followed. By inclusion into that compliance program, you may provide your auditors with a quick path to assessment completion.
The most important thing to remember in moving your environment to the cloud is to be sure to have conversations early and often with your provider regarding your requirements and the specific expectations of the provider. They should be able to provide the information necessary to be sure that your environment includes all of the security and controls to achieve your company’s compliance and certifications.
Allen Allison, Chief Security Officer at NaviSite (www.navisite.com)
During his 20+ year career in information security, Allen Allison has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform, chief engineer and developer for a market-leading managed security operations center; lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in systems programming, network infrastructure design/deployment, and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California, Irvine, Allison has lectured at universities and spoken at industry shows such as Interop, RSA Conference, Cloud Computing Expo,
MIT Sloan CIO Symposium, and Citrix Synergy.