Public Cloud Compliance: Key Protection

When it comes to public cloud compliance, different regulations exist for different industries.

To be sure, public cloud compliance is a thicket of complication, effected by myriad legislation. For example, the Health Insurance Portability and Accountability Act (HIPAA) is the granddaddy of healthcare-related legislation that relates to public cloud compliance. Payment Card Industry Data Security Standard (PCI DSS) oversees the credit card industry, while Sarbanes–Oxley (SOX) regulates the reliability of financial reporting by public companies and their accounting firms. The Gramm-Leach-Bliley Act (GLBA) administers a large set of compliance regulations for banks, investment institutions and insurance firms. And there are many more including US–EU Safe Harbor, ISO, FDA and a whole set of federal regulations around information processing, security management and risk management.

Even so, we can boil down public compliance standards to key similarities: Is the regulated data secure from digital and physical intrusion? Can you prove it with reports and audits? How can you verify environmental controls such as data location? How do you administer access control? When and where do you apply encryption? Can you verify data segmentation from non-regulated data or multiple tenants?

These questions and their answers are critical for on-site data storage, including on-premise private cloud infrastructure. But when you include public cloud compliance in the picture, you up the ante – and the complexity – on compliant data storage. And if a service provider restores compliant data for you on the public cloud, the complexity grows even larger.

However, going with a cloud provider may still be a good idea in terms of cloud scalability and efficient data storage, especially if you are not frequently restoring your data from the cloud.

Public Cloud Compliance: Where to Begin

HIPAA and Compliance

HIPAA regulatory requirements differ depending on the “covered entity.” This refers to the originating health care company whether it is using cloud storage for electronic health record systems (EHR) governed by HITECH, or backup data governed by HIPAA’s Data Backup and Disaster Recovery Specifications. The “business associate” label covers your cloud provider, who must also be in HIPAA compliance with technology, physical security and secure administration.

It is your responsibility to make certain that your business associate, whether a managed service provider (MSP) and/or a public cloud provider, offers and obeys a business associate agreement (BAA). You will see a number of ads from cloud providers on how HIPAA-compliant they are. They might even be right, but you still cannot afford to leave HIPAA compliance up to your provider. Even if they sell an excellent service to their customers, you are ultimately responsible with the compliance of your data online and off. And if your provider makes a serious mistake, that mistake may cost them — but it may well cost you even more.

To begin with, even though your cloud provider may claim to be HIPAA-compliant, the U.S. Department of Health and Human Services recognizes no one as such. They have no such compliance list. One cannot blame them: it is each company’s responsibility to understand the compliance regulations and to stick to them, and to make sure that their provider does also.

Top Questions to Ask your Provider about Public Cloud Compliance

Here are the top compliance-related questions to ask your public cloud provider or MSP who offers public cloud services:

• How secure is my data in your data center? Most companies know to ask about digital security such as protection against hacking attacks or in-house mistakes (or worse). These are vital security measures, of course, but physical data center security is every bit as important. The cloud provider should welcome yearly independent audits of their data center and cloud storage practices. Look for SSAE-16 for standard compliance audits. Data location may also be an issue. If it is, be certain that your provider can prove where your data resides. Google Cloud, for instance, provides highly secure and certified data centers that fulfill PCI DSS standards.
• Does the cloud provider have dedicated and a specialized compliance staff? For example, healthcare covered entities need HIPAA experts. Credit card providers need expertise with PCI DSS. Public companies and accounting firms need consultants that are familiar with SOX, and banks need expertise with the security requirements of GLBA.

• What does the agreement look like? HIPAA closely regulates business associate agreements, known as BAAs. Always include a BAA in your HIPAA compliance contract with your cloud provider. These agreements are readily available with major cloud providers such as AWS, which offers plans for both production and secondary data subject to HIPAA regulations. Be aware that HIPAA regulations for the cloud will change according to the nature of the data. BAAs for active computing data or big data analysis will reflect this type’s greater priority and activity than secondary cloud storage. This holds true with other regulations as well. Although they may not have HIPAA’s specific BAA requirements, you will still need to run audits and reports on your regulated data in the cloud. For this reason, Microsoft Azure added an auditing feature for SQL databases running on Azure.
• Is there segmentation in multi-tenant environments? A multitenant environment is not by definition non-compliant, but it does require security features and segmentation. Let’s contrast two environments, which at first glance seem quite similar. Both providers advertise themselves as PCI DSS compliant. Both environments are multi-tenant and both run client VMs on compliant hypervisors. So far, so good. However, in the first case the cloud provider separates clients using logical and physical controls. The second environment offers a service model that leaves VM administration to customers, so clients cannot verify segmentation. In the second case, neither the provider nor the client are in compliance.
• How and where do you use encryption? Even with verified client segmentation, the company should have an agreement in place where their data is encrypted. Know what type of encryption your providers use and how and when they apply it, and don’t forget to encrypt your data-in-transit as necessary.
• How good is your access control? When your data is on site, you need to practice verifiable access control. Your cloud provider is no different. When you first speak to your provider about a compliant data environment, make certain that you understand what their policies are for user access control. Definitely understand what their access control policies are for their staff and your data. Be certain that they can and will regularly audit your data’s access control for compliance reporting purposes.

It’s Still on You

The sobering news is that you are still ultimately responsible for your data’s compliance, including holding cloud providers to their service agreements with you. Your provider may be subject to fines in case of their noncompliance, but that will not keep you from paying non-compliance-related fees as well. You are also responsible for keeping up with changing regulations and making sure that your provider does too. The more experience and expertise the provider has with regulations the smoother this dynamic process will be.

Finally, remember that the cloud is never all or nothing. If you are uncertain that your cloud provider can give you the level of compliance you need for critical data, then don’t use the cloud for that. Consider using it for compliant backups instead, or not at all – wait until cloud providers offer more complete compliance measures. There is a lot of money for them in improving their compliance offerings, so even if you decide not to take advantage of the public cloud at this point, you may well in the near future.

Photo courtesy of Shutterstock.