I have spoken before on the issues of compliance and the cloud, and recently two of the big “kahunas” of security and compliance have published white papers on the topic.
The first is an ISACA paper: “Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives.” This is a concise 10-page white paper that defines the cloud issue and discusses the “Assurance Considerations for Cloud Computing.” The paper identifies five assurance issues: transparency (of service providers), privacy, compliance, trans-border information flow and certification (of the service providers). However, there is not much guidance in this paper as to how to address these considerations. Their following guidance seems a bit circuitous to me:
The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s internal controls and security. At the time of writing, there are no publicly available standards specific to the cloud computing paradigm. However, existing standards should be consulted to address the relevant areas and businesses should look to adjust their existing control frameworks.
My translation of this is: Businesses need some new standards/frameworks for cloud compliance, but there are none, so use your existing ones. I did not get a lot of useful information in this white paper – aside from the fact that ISACA is concerned about this issue and has expressed its opinion as to why we should be concerned (which I agree is important to point out). But there is not much practical content as to how I should address these issues.
On the other hand, the European Network and Information Security Agency (ENISA) has released its paper “Cloud Computing: Benefits, Risks and Recommendations for Information Security” weighing in at a mere 123 pages. In this document they have enumerated the risks of cloud computing and scored them as shown in the risk chart below.
As examples, they identified that the most serious risks with the highest score of 7 and the highest impact were:
R2: Loss of governance
R3: Compliance challenges
R22: Risk of change of jurisdiction
And the next most serious, with a score of 6 and highest probability, were:
R9: Isolation failure
R10: Cloud provider malicious insider
R14: Insecure or defective deletion of data
R26: Network management.
In this document they analyze each risk with respect to probability, impact, vulnerabilities, and assets. This is a very effective way to categorize the risks and how they may affect your business.
In the last section they make a set of recommendations that include:
An information assurance framework (a checklist of questions for service providers)
Legal recommendations (from the European point of view but still appropriate for other jurisdictions)
Research (recommendations for further research – useful if you want to write a research grant!).
The first two recommendations are very useful and thorough and can be used as a basis of contract terms and conditions with service providers.
The fact that both these influential groups have spent a lot of time and thought about cloud compliance emphasizes the interest and concern about taking your business into the cloud. I think both these papers can be used as a basis for your cloud compliance approach and I highly recommend spending a few hours and cups of caffeinated coffee reading the ENISA document.