Cloud Compliance: Part 3 – Choosing the Right (IaaS) Cloud Service Provider
In this part we will dig a bit deeper and detail the standards and regulations that some of the most common infrastructure (IaaS) Cloud Service Providers (CSPs) comply with and are certified for. CSPs are not always obliged to follow all regulations, but normally they have procedures to make their consumer cloud compliant. We also look at four of the IaaS giants and how they handle making you become cloud ready. To highlight some basic differentiators between EU and US CSPs, a well-known European CSP is included too.
So far in the compliance series we’ve been through:
Part 1 - What is Compliance in the Cloud?
Part 2 - CSP (Cloud Service Provider) preparation tips, supported by Ron Peled, LivePerson
In the last part we mentioned some common regulations. Obligations to comply with specific regulations and laws depend on which country, region or continent the consumer and the CSP operates in. To become cloud compliant, most business has to comply with more than the EU DPD, SOX, FISMA, and sometimes HIPAA.
[Newvem analyzes your EBS volume and snapshot usage patterns to help you increase control and enhance your backup policies.] Learn more about Newvem’s features
Standards, Regulations and More
| Standard, regulation, etc ↓ | Short description | Read more |
| CSA | Cloud Security Alliance. “The CSA is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing.” Membership in this organization is a quality sign to look for. | https://cloudsecurityalliance.org |
| EU DPD | “Directive 95/46/EC is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data.” | http://europa.eu/legislatio… |
| Safe Harbor | The EU DPD would prohibit the transfer of personal data to non-EU countries that do not meet the EU “adequacy” standard for privacy protection. While the U.S. and the EU share the goal of enhancing privacy protection for their citizens, the U.S. takes a different approach to privacy from that taken by the EU. In order to bridge these differences in approach and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the EC developed a “safe harbor” framework | http://export.gov/safeha… |
| US SOX | In the U.S., SOX is a law that all companies must comply with. Its purpose is to give parties, of any kind, insight to a company’s financial situation. This to be able to stop and/or avoid losses for the parties. | http://www.soxlaw.com |
| US FISMA | FISMA “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” | http://csrc.nist.gov/group… |
| US HIPAA | HIPAA “provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.” | http://www.hhs.gov/ocr/privac… |
| ISO 27001 | “The objective of the standard itself [ISO 27001] is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”.” | http://www.27000.org/i… |
| ISAE 3402 | ISAE 3402 (formerly SAS-70) is an international “independent, industry recognized, 3rd party assurance ‘best practice’ to assure outsourced managed hosting solutions.It is the new global standard for assurance reporting on service organizations.” (quoted from Interoute) | http://isae3402.com |
| SSAE 16 | U.S. national assurance standard. See ISAE 3402. | http://ssae16.com |
| PCI DSS | “The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security.” | https://www.pcisecuritys.. |
| SLA | Service Level Agreement. The agreed Service Level of a service (normally Availability) within the Service Time (“opening hours”). Normally, a fixed non-negotiable level when it comes to cloud services. | - |
Note: All quotes and texts in the table refer to text more or less copied from the referential site/source in the “Read more” column.
Common IaaSs
| Standard, regulation, SLA ↓ |
Amazon AWS Cloud |
Google Cloud | Interoute (European) | Microsoft Azure | Rackspace |
|
EC2 |
Compute Engine | VDC | Azure | Cloud Servers | |
| CSA |
X |
X |
X |
X |
X |
| EU DPD |
Safe Harbor |
Safe Harbor |
X |
X/Safe Harbor |
Safe Harbor |
| US SOX |
(X) |
(X) |
-1 |
(X) |
(X) |
| US FISMA |
(X) |
(X) |
-1 |
(X) |
(X) |
| US HIPAA |
(X) |
- |
Info not available |
(X) |
(X) |
| ISO 27001 |
X |
X |
X |
X |
X |
| SSAE 16 |
X |
X |
-1 |
X |
X |
| ISAE 3402 |
X |
X |
X |
X |
X |
| PCI DSS |
X |
X |
X |
X |
X |
| SLA (standard IaaS-service) |
99.95% |
99.95% |
99.99% |
99.95% |
100% |
X = Complies with/member of/certified
(X) = Programs to make services comply
1 Interoute primarily operates in Europe
- EU Data Protection Directive - Directive 95/46/EC
- US HIPAA - Health Insurance Portability and Accountability Act
- US SOX –Sarbanes-Oxley Act
- US FISMA - Federal Information Security Management Act
- US SOPA – Stop Online Piracy Act (On hold)
- US PIPA – Protect IP Act (On hold)
Additional Information
| Service ↓ | Resources |
| AWS EC2 | http://aws.amazon.com/legalhttp://aws.amazon.com/agreementhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf |
| Compute Engine | http://www.google.com/intl/en/policieshttps://developers.google.com/compute/docs/terms |
| VDC | http://www.interoute.com/about-us/governance-accreditations |
| Azure | http://www.windowsazure.com/en-us/support/trust-center |
| Cloud Servers | http://www.rackspace.com/securityhttp://www.rackspace.com/cloud/legal |
Salute
A salute to Amazon, Google, Microsoft and Rackspace for their effort to make compliance and security information easy to find and use on their websites. My simple recommendation to the IaaS vendors is to always make compliance and security information easy to find and easy to read and understand. It’s a pretty cheap way to actually sell a service.
Prediction
Price wars are a compliance issue. If smaller and/or regional CSPs can’t compete in the cloud market because of heavy price dumpings, there will be a slower adoption phase within regions obliged to comply with certain laws and rules, for instance within the EU.
Nonetheless, Google announced that they now offer the possibility for EU consumers to store data within the EU only. I think we will see all the other CSPs to follow. This step will trigger more EU consumers to adopt from large US CSPs. It will not be enough, like Microsoft says; most probably the data will be stored in EU if you’re an EU consumer.
3 Things Your Should Remember
1). Everyone providing or consuming a cloud service has laws and regulations to follow and comply with.
2). Know the laws and regulations your business is obliged to follow.
3). Compliance is a shared responsibility.
[Newvem automatically recognizes your database servers,analyzes their vulnerability, and provides you with drill downs covering insights on specific instances for a quick fix turn around. Learn more about Newvem analytics features]
About the Author
Max Büchler – Blogger on InMaxMind
Cloud and ITaaS evangelist. “Agent provocateur”, criticizer and advisor. Hopefully with a special touch and different view, sometimes philosophic but always with a smile. Love to see fact and make cloud logic, don’t make it difficult. Focused on talking to, with and for the customer with the goal to ease and help adoption of cloud services. Profession as Manager of Product Management on a Swedish Managed Service Provider.
Keywords: cloud computing, cloud services, cloud adoption, enablement, strategy, SaaS, Public cloud, private cloud, compliance, regulations, security, cloud service provider, DR, disaster recovery, csp, continuity, HIPPA, PCI DSS, SOX, Safe Harbor, FISMA, SOPA, PIPA, SLA, Amazon, Google, Azure, Rackspace
You must be logged in to post a comment.