Cloud compliance ensures that the cloud services offered by cloud service providers, such as AWS (Amazon Web Services) and Google, via the cloud meet the compliance requirements of their enterprise customers, including local, state, federal, and international security standards, laws, and regulations. These requirements include but are not limited to:
- HIPAA (Health Insurance Portability and Accountability Act) health care industry laws that ensure data security and patient privacy.
- PCI DSS (Payment Card Industry Data Security Standard), which ensures security for payments made with credit, debit, or prepaid cards.
- GDPR (General Data Protection Regulation), a data protection law that mandates that all companies doing business within the European Union (EU) member states comply with stringent new rules around protecting the personal data and privacy of EU residents.
- ISO 27001 and 27002 (International Organization for Standardization), 27001 is the most popular in the ISO 27000 family of standards with the purpose of managing information security management systems (ISMS). It helps organizations manage the cybersecurity of a variety of assets, including financial information, intellectual property, employee personal information, and third-party data. ISO 27002 guides organizations in selecting, implementing, and managing controls on their cybersecurity risk environment—the controls on risks to the confidentiality, integrity, and availability of information in their information systems.
Cloud service providers must also ensure that their cloud services comply with their customers’ rules, policies, and industry standards.
While it’s true that migrating from an on-premises environment to a cloud environment can be challenging, those challenges aren’t insurmountable. The key is for organizations to work with the right cloud service providers.
To help in these efforts, NIST (National Institute of Standards and Technology) created the Cybersecurity Framework following a Presidential Executive Order to manage risks across cloud computing environments, including those offered by public cloud service providers, such as AWS, Microsoft Azure, and Google Cloud.
It’s also important for companies to understand their compliance requirements and what their cloud service providers offer because compliance failures can lead to lawsuits, cybersecurity incidents, regulatory fines, and damage to their reputations.
In addition, any organization that has access to electronic protected health information (ePHI) must ensure that its data center provider is HIPAA-compliant, which means that it provides the required levels of data security. Whether a cloud customer uses a private cloud or a public cloud, it’s critical that the company examines the effectiveness of the information security precautions of its cloud provider the same way it would look at its own internal security.
For example, companies can select the cloud services of cloud service providers that have achieved cloud compliance certifications. However, not all cloud compliance services can be certified. So organizations should look for cloud service providers that may have found other ways to meet compliance requirements, such as adhering to more stringent standards.
When it comes to cloud compliance, companies must understand the scope of potential cybersecurity incidents and what types of incident response mechanisms they and their cloud service providers have in place to deal with these incidents. Organizations should document these incident response strategies in their incident response plans.
Finally, when organizations are researching cloud service providers, they should be sure to ask for detailed documentation locations of their servers. The servers that cloud service providers use to store data should be located in the United States, according to a majority of industry standards and regulations. The reasoning behind US-based servers and data centers is that countries outside of the U.S. have different privacy and information security laws, regulations, and standards.