Mastering Compliance in the Cloud
It’s no secret that regulatory compliance can be complex and confusing. Compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), have elements that are open to interpretation. With rapidly changing technologies and frequent updates, this can further muddy the clarity.
Meeting compliance requirements isn’t something that can be continually delayed. The requirements can affect everything from the desktop to the data center. Not complying can result in large fines, as well as lost business, damage to the organization’s reputation and other business-wrecking effects. With this in mind, it’s important to have a plan in place to tackle compliance in the cloud.
Understanding Compliance Standards
Before approaching strategies for compliance in the cloud, it’s important to understand the compliance standards that businesses can be responsible for.
First, HIPAA pertains to organizations that deal with protected health information (PHI), ranging from healthcare systems to insurance providers. PCI DSS contains specific requirements for any company that directly or indirectly touches credit card information.
With so many organizations handling credit card data and subject to PCI requirements, there’s a big market for CSPs to target with PCI compliant IT services. Not surprisingly, many CSPs tout being “PCI compliant” or “PCI certified” to get their share of the market. But just because a CSP says it’s PCI compliant doesn’t make it so. It’s essential to verify that any CSP your organization is considering has been audited by a Qualified Security Assessor under PCI DSS as a service provider and its cloud infrastructure operations are compliant.
A CSP that has undergone the required independent PCI audit should be willing to provide its attestation of compliance, which documents that all processes and components under its control are meet the PCI DSS requirements. If your business conducts over six million credit card transactions annually, it is recommended that the CSP be on the “Level 1 Service Provider” list for major card brands including VISA. A CSP should also be able to provide you a responsibility matrix outlining your responsibility and the CSP’s for each PCI DSS control.
Once you’ve determined that the CSP you wish to work with is PCI and/or HIPAA-compliant, you need to understand your organization’s compliance requirements and who will be responsible for them.
The Responsibilities of CSPs
The CSP will be responsible for protecting the underlying infrastructure that powers its colocation, network services and cloud services, including:
- Network infrastructure
- Operation and physical security of the data centers
- Patching, upgrading, and managing compute, storage and network resources
- Ensuring hypervisors and portals are secure, patched, and available to customers
Many CSPs also offer managed security services with their cloud solutions. If your organization chooses to take advantage of these services, you can generally expect that the CSP will be responsible for the security configuration tasks such as patching, IPS deployment, and firewall configuration and rule management. However, your organization will still be responsible for ensuring user account credentials are secure.
The Responsibilities for Your Organization
Your organization will be responsible for the security of your data, applications and the operating system, as well as any of your equipment that is housed in the CSP’s data center. The responsibilities may include:
- Limiting access to administrator accounts
- Utilizing strong passwords and multifactor authentication
- Patching your operating systems and applications
- Managing the data center access list for your employees
- Abiding by the CSP’s security protocols at data centers
- Encrypting data at rest and in transit
- Maintaining centralized log files and monitoring security alerts
There are also several issues to consider in terms of both PCI and HIPAA compliance when working with CSPs. Among them is the requirement that comes up during compliance audits regarding where your data resides and what protective measures are in place. With cloud services, that’s sometimes easier said than done.
Many CSPs employ a network of data centers that work together to provide high availability and security of your data. As a result, the data may be moved to different data centers across large geographic spans based on service levels, resource demand, cost, latency, disaster recovery and business continuity needs. For security reasons, CSPs may be reluctant to divulge the location of their data centers or where data is specifically located at any one time.
Things can become more complex in the case of global providers. With the European Union implementation of the General Data Protection Rules it is important to know where your data resides. Almost every business is touched by the impact of GDPR. Your business may be accountable to tell your customers where their data is, and using a CSP that has experience with this is important whether your organization is a U.S.-based business or is just doing business in the U.S. It is important to work with a CSP that can help you know where your data is and can participate as part of your compliance.
Neither PCI or HIPAA specifically stipulate that data must be stored within US borders, but they do require proof that controls are in place to protect the data. It is important to understand how your CSP integrates into your security and compliance programs.
The bottom line is to make sure you know where your data resides and what controls the CSP has in place to protect it. Be sure to require documentation showing where the CSP’s servers are located and obtain the CSP’s responsibility matrix. Finally, ensure that the specifics are spelled out in your service level agreement with the CSP to master compliance in the cloud.
About the Author: Trevor Bidle is information security and compliance officer for US Signal, the leading end-to-end solutions provider, since October 2015. Previously, Bidle was the vice president of engineering at US Signal. Bidle is a certified information systems auditor and is completing his Masters in Cybersecurity Policy and Compliance at The George Washington University.
Edited by Maurice Nagle