Cloudy with a chance of non-compliance
Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. This blog entry is a recap of the Webinar.
In terms of compliance for cloud services, there are four categories of issues of concern:
- Where: Geographically-related issues
- How: This is about operational details that affect compliance
- Audit: Show me evidence that you can help me achieve compliance
- Others: Everything that doesn’t fit into the above categories
For the “where” category, you need to be conscientious of the following aspects:
- Datacenter locations
- Implications of local laws and regulations (where the datacenters are operating)
- Third-party access: Does the vendor use any “third-party” resources that may affect the locations of relevant data?
We recently helped a client evaluate the business suitability of a SaaS provider. In the course of doing so, we discovered that the SaaS vendor used a third-party backup service to back up their logs. Although the SaaS provider is located entirely in the US, the backup service provider is not. Therefore there is a question of whether my client’s logs will get stored in a datacenter outside the country. This made my client uneasy.
The “How” category is the biggest and most comprehensive, as it includes many operational aspects. For example, along with other aspects, you need to consider:
- Do the datacenter’s operations meet the specific regulatory requirements that you have (e.g., is it PCI compliant — audited by a PCI QSA?)
- Does the provider have a compliance management program?
- Does the provider have a DR/BC plan that is consistent with my requirements?
- Does the provider’s data breach/incident handling procedure meet your requirements?
- Is the data center SAS 70 Type II certified?
The “Audit” category deals with the procedure of audits, framework of audits, whether or not the provider can supply adequate audit evidence or agree to a third-party audit.
In addition, you need to consider eDiscovery and enterprise investigation support. Too often enterprises tell me that cloud providers do not let them be the administrator of their data living in the cloud. You need to ask your vendor what support they will provide for discovery and investigation purposes, such as any restrictions on access to data, means of access to data (self servicing vs. manual), responsiveness to discovery requests, flexibility to data access, etc.
Finally, third party is often the “fly in the ointment” — even when you are satisfied with every aspect that you can conceivably think of with respect to your cloud provider’s operations. You need to understand whether they use any third party in a way that impacts your compliance status (see the example I listed above). Everything we talked about so far applies to third party accesses.
In the next 90 days, we recommend that you form a cloud game plan, which looks like the following (for compliance aspects):
- First step, gather legal and regulatory requirements, involve legal/compliance/risk officers early
- Second, conduct a high-level feasibility study based on these requirements
- If the feasibility study indicates a preliminary green light, then perform detailed evaluation (based on the “where,” “how,” “audit” framework here)
- Require audits when in doubt, embed recourse actions in your contracts, and engage trusted third-party assessment services.
For details, please refer to the Webinar recording.