How can we help?

Design? Check. Strategy? Check. Bulletproof code? Check! People who can manage it in an agile and efficient manner? Check. Someone to help you create your next big product? Of course.

Denver

- 1201 18th St. Suite 250, Denver, CO 80202

Grand Rapids

- 125 Ottawa Ave NW Suite 270, Grand Rapids, MI 49503

Blog

BLOG:Cloud Compliance Cheatsheet

Cloud Compliance Cheatsheet

Cloud computing continues to see significant growth; see recent results for Amazon Web Services and Microsoft Azure. While many cloud customers are rightly attracted to cloud platforms by significant infrastructure cost savings, improved time to market and agility to scale with market demands, the security capabilities of each cloud service should be vetted thoroughly. The emerging details of the Wendy’s credit card breach and Iowa City hospital data breach are some of the latest reminders of the hostile computing environment we live in today. The risks of doing business in the Internet age have also bequeathed us scads of regulations and legislation intended to pair the convenience and efficiency of the doing business on the Internet with appropriate safeguards against malicious cyber attacks that could potentially expose sensitive data (e.g. HIPAA/HITECH, PCI-DSS, etc). So what implications does migrating your systems to the cloud have in terms of your compliance? The Cloud Security Alliance recently surveyed IT professionals and found that regulatory compliance was a top challenge for 38% of respondents. Moving significant parts of your infrastructure, or simply a single application, into the cloud may have important implications for your business’s data privacy/protection compliance.

The major cloud infrastructure providers are obviously aware of the variety of data privacy/protection concerns their customers face. Following is a quick rundown of some of the major data privacy/protection concerns and brief explanations of how various cloud service providers address them. The intent here is awareness rather than comprehensive compliance information; follow the “More Info” links for cloud platform-specific details.

HIPAA — HITECH

The Issue — Hackers value healthcare data more than credit card data (read why). Any business that collects, uses or transmits any Protected Healthcare Information (PHI) must comply with a variety of regulations. Most notably in the U.S., HIPAA and HITECH require that businesses and their vendors/associates safeguard their health information. In the event of a breach, businesses must follow a breach notification process.

How the Cloud Complies — In the context of a healthcare system, cloud infrastructure providers are termed “Business Associates” per the HIPAA legislation and, as such, they must contractually commit to handle PHI in accordance with HIPAA/HITECH legislation. The major cloud providers offer standard Business Associate Agreements assuming responsibility to comply with HIPAA regulations. Note that not all cloud services offered by the major cloud providers are covered by their respective BAA agreements; follow the “More Info” links below for specifics.

Notable Terms

More Info

EU Data Privacy

The Issue — With the Google Spain case as a prime example, the EU strictly regulates the transfer of personal information of its citizens outside its member states; see EU Data Protection Directive 95/46/EC and Data Protection Reform). Any personal data transferred outside the European Economic Area should comply with EU Model Clauses which dictate how that data should be transferred and strict limitations on how it can be used.

How The Cloud Complies — There are actually two options for compliance with EU personal data transfer regulations when using cloud services

  • Stay in the EU — For systems running across international boundaries, major cloud service providers offer a variety of data centers throughout the globe, typically called “regions”. Among other considerations prompting the segmentation or “sharding” of your business’s data, such as proximity to customers, the choice of a regional data center in the EU for hosting your cloud services may limit your liability associated with personal data transfers by preventing data for EU citizens from leaving the EU.
  • Compliance with EU Model Clauses — Major cloud service providers also offer compliance with the EU Model Clauses; basically certifying that use of their services meet the EU guidelines for personal data transfer.

Notable Terms

  • Personally Identifiable Information (PII) - Information which can be used to distinguish or trace an individual’s identity.
  • “Data Controller” and “Data Processor” — Legal definitions from the EU directive referring to those handling personal data. The Data Controller is the one determining the “purposes and the means of the processing of personal data” while the Data Processor “processes personal data on behalf of the controller”.
  • Data Protection Authorities — National authorities within EU member states responsible for monitoring the application of data protection law within its territory.
  • EU/U.S. Privacy Shield — Negotiated agreements between the U.S. and EU which provide for U.S. companies to self-certify their compliance with EU data protection laws and also specifically limit the access of the U.S. government to personal data of EU citizens.
  • Article 29 Working Party — A group composed of representatives from each EU country that issues opinions on EU data privacy matters.

More Info

Payment Card Industry — Data Security Standard (PCI-DSS)

The Issue — If your business systems accept or process any payment cards, they are subject to the Payment Card Industry — Data Security Standard (PCI-DSS). The PCI-DSS lays out security best practices alleviating vulnerabilities and protecting cardholder data from theft and fraud. Failure to comply with the PCI DSS increases your liability in the event of a security breach.

How The Cloud Complies — When cloud services are used to transmit, process or store any cardholder data, the cloud company acts as a “service provider”. Each card issuer has slightly different definitions of a “service provider” including different levels based on volume of transactions e.g. Visa and MasterCard requirements. However, any “service provider” must certify their compliance with the PCI-DSS. Cloud service providers submit to regular assessments by Qualified Security Assessors (QSA) and issue Attestations of Compliance (AoC) demonstrating that their services comply with the PCI-DSS. Merchant companies can then rely on these AoCs in their own PCI-DSS compliance. It’s important to recognize that deployment of a system which processes card data to a cloud provider does not resolve all PCI-DSS concerns; the responsibility is shared between the cloud provider and their customers who design and build the systems deployed to the cloud.

Notable Terms

  • PCI Security Standards Council — The organization which administers the PCI-DSS; founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
  • Qualified Security Assessor (QSA) — A data security firm that is qualified by the PCI Security Standards Council to perform on-site PCI DSS assessments.
  • Approved Scanning Vendor (ASV) — An organization qualified by the PCI Security Standards Council to perform external PCI-DSS compliance scans on an ongoing basis to comply with PCI DSS Requirement 11.2.2.
  • OWASP Top Ten—This is a well-respected list of common web application security vulnerabilities. Section 6.5 of the PCI-DSS v3.1 which addresses common coding vulnerabilities notes that compliance requires training for current security best practices, mentioning the OWASP list, among others, by name.

More Info

FDA Title 21 CFR Part 11 and GxP

The Issue — Companies submitting or maintaining electronic records in accordance with FDA regulations must ensure these electronic records are managed in accordance with FDA Title 21 CFR Part 11 where the FDA’s rules for electronic documents live. Of particular prominence are rules related to electronic signatures of documents attesting that current best practices (see “GxP” below) have been followed.

How the Cloud Complies — The cloud compliance story is not as clear for FDA Title 21 CFR compliance as with some other regulations. Instead, the GxP guidance for AWS and Azure describe how existing features of the cloud services such as service SLAs, access controls, monitoring, etc. fit into the requirements for GxP systems.

Notable Terms

More Info

Summary

The sections above give only a sample of possible compliance concerns; there are many others e.g. SOC accounting standards, ISO 27017 for cloud service security, etc. Ensuring your business systems are compliant with relevant legal regulations applicable to your industry is no small undertaking. However, the cost savings and efficiencies of deploying your systems to cloud service providers are still viable options for your business. In many cases, relying on services that already offer some certification of compliance may simplify your compliance efforts and offer another cost saving incentive to migrate to the cloud.