Cloud Computing Compliance Recommendations from the A Teams

I have spoken before on the issues of compliance and the cloud, and recently two of the big “kahunas” of security and compliance have published white papers on the topic.

I have spoken before on the issues of compliance and the cloud, and recently two of the big “kahunas” of security and compliance have published white papers on the topic.
The first is an ISACA paper: “Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives.” This is a concise 10-page white paper that defines the cloud issue and discusses the “Assurance Considerations for Cloud Computing.” The paper identifies five assurance issues: transparency (of service providers), privacy, compliance, trans-border information flow and certification (of the service providers). However, there is not much guidance in this paper as to how to address these considerations. Their following guidance seems a bit circuitous to me:

The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s internal controls and security. At the time of writing, there are no publicly available standards specific to the cloud computing paradigm. However, existing standards should be consulted to address the relevant areas and businesses should look to adjust their existing control frameworks.

My translation of this is: Businesses need some new standards/frameworks for cloud compliance, but there are none, so use your existing ones.  I did not get a lot of useful information in this white paper – aside from the fact that ISACA is concerned about this issue and has expressed its opinion as to why we should be concerned (which I agree is important to point out). But there is not much practical content as to how I should address these issues.

On the other hand, the European Network and Information Security Agency (ENISA) has released its paper “Cloud Computing: Benefits, Risks and Recommendations for Information Security” weighing in at a mere 123 pages.  In this document they have enumerated the risks of cloud computing and scored them as shown in the risk chart below.


As examples, they identified that the most serious risks with the highest score of 7 and the highest impact were:

  • R2: Loss of governance

  • R3: Compliance challenges

  • R22: Risk of change of jurisdiction

And the next most serious, with a score of 6 and highest probability, were:

  • R9: Isolation failure

  • R10: Cloud provider malicious insider

  • R14: Insecure or defective deletion of data

  • R26: Network management.

In this document they analyze each risk with respect to probability, impact, vulnerabilities, and assets. This is a very effective way to categorize the risks and how they may affect your business.

In the last section they make a set of recommendations that include:

  • An information assurance framework (a checklist of questions for service providers)

  • Legal recommendations (from the European point of view but still appropriate for other jurisdictions)

  • Research (recommendations for further research – useful if you want to write a research grant!).

The first two recommendations are very useful and thorough and can be used as a basis of contract terms and conditions with service providers. 

The fact that both these influential groups have spent a lot of time and thought about cloud compliance emphasizes the interest and concern about taking your business into the cloud. I think both these papers can be used as a basis for your cloud compliance approach and I highly recommend spending a few hours and cups of caffeinated coffee reading the ENISA document.

Written by

Tom McHale

Tom McHale is VP of Product Management for CA, Inc., where he responsible for defining…

Published in

View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.