While the cloud offers significant potential to reduce costs and improve efficiency, many businesses have concerns about how they can demonstrate compliance with industry standards and regulations. Kane Phillips, Business Development Manager for Gemserv, argues that with the right expertise, demonstrating compliance does not need to be a barrier to firms taking full advantage of the cloud.
How to embrace the potential of the cloud will be a key boardroom agenda item for most businesses these days.
Although the benefits in terms of capital and operating budgets can be relatively easy to quantify from a financial standpoint, being able to provide a forensic trail clearly to Qualified Security Assessors (QSAs) can be seen as a significant hurdle to overcome.
We work with a very broad range of clients at Gemserv, and although they each have different business models, we are seeing common concerns about demonstrating compliance in a cloud environment, along with the right approach to take.
Key issues in being able to demonstrate compliance include understanding exactly where responsibilities lie between businesses and providers of the various cloud service models (SaaS, PaaS and IaaS). The nature of the cloud environment also brings added factors, such as implications of data being held in different jurisdictions, and the challenge of compliance with the different legalities when data may be moving around different parts of the cloud.
Nervousness around some of these compliance issues means many firms are not taking full advantage of the opportunities available.
Leveraging information security expertise to find a bespoke solution
A recent example of how we worked with an existing client highlights these challenges, and how they were able to resolve the issue with our expertise.
The company, a global player in the e-commerce sector with a specific focus on the food and drink sector, has its entire estate in the cloud, and calls up server capacity depending on demand levels.
The model brings significant cost benefits and elasticity so that instead of committing to resources that are not required, they have the option of dynamically scaling up or down depending on demand within the business.
That flexibility also extends to where in the cloud their data is held at particular times. This is particularly relevant in cases where legal requirements dictate the location for data storage.
As well as the cost benefits for the client, the way they operate in the cloud also brings security benefits. For example, if the data is being stored in a particular location for a limited time, it can reduce the possibility of a hack. That said, it is important to mention that such risks are difficult to eliminate, because data remnants could be left regardless of how long data was kept at a particular location if the appropriate controls are not implemented.
Whilst in this particular case, the cloud was enhancing security, from a compliance point of view – such as meeting the requirements of the Payment Card Industry Data Security Standard (PCI-DSS), this demonstrated a different matter entirely.
For example, if a breach was discovered in one period and the client had already moved onto another area of the cloud, where would the audit trail be? Absence of a trail would make it very difficult to determine the cause of a breach and develop a mechanism to minimise risk in the future.
For this particular client, the solution they had with their cloud provider did not encompass security, and there was no logging of systems deployed in the cloud architecture.
After assessing the specific operational and compliance needs of the business, we recommended that deploying open source logging and event monitoring solutions would provide the necessary security control, whilst also helping to create the audit trail that, in the event of a data breach, would provide compliance capability.
As well as meeting PCI compliance, the approach has already delivered wider benefits. The open source tools suggested by Gemserv, and developed by the client, have diagnosed and mitigated a number of potential attacks on the client’s infrastructure which they would otherwise not have been made aware of.
The successful outcome demonstrated the added value of bringing in an information security expert to help with this process. In addition to this, it helped the client develop a strategy to deal with risks related to data breach incidents.
Understanding roles and responsibilities is vital
A key first stage for companies in the process of using the cloud to store data is to discuss with their cloud service provider where roles and responsibilities lie, and to clearly document those boundaries in Service Level Agreements (SLAs).
It is important to understand that you cannot always rely on a cloud service provider to offer security services. It may be the case that the service provider will be aware of a technology stack going in and out of their environment, but there will be cases where the service provider will not monitor it while it is there,
and it is generally up to the customers using the cloud service provider to provide processes and procedures such as audit trails, and event alerts. In some cases, cloud service providers are able to offer additional services which can help meet compliance needs, but these need to be discussed as part of the SLA. For example, security event monitoring for PCI compliance may be available through a cloud service provider, but this would typically be as an additional service, rather than part of an off-the-shelf package.
This is just an illustration of a service model. The key point to note is that organisations must always get assurance from their cloud service provider, that roles and responsibilities are specified in the contract.
While demonstrating compliance in the cloud environment may initially seem highly challenging for many businesses, taking a planned and practical approach to the particular issues faced and working with an expert partner can ensure the most appropriate solution is implemented.
As a first step in the process, businesses should perhaps ask themselves a number of questions about their particular circumstances.
- What do you see as the key challenges faced when it comes to compliance in the cloud?
- What is the impact of adopting cloud services on your audit scope?
- How do you plan to demonstrate compliance?
- How confident are you in your cloud service provider, and their supply chains?
- Are your legal agreements with providers sufficiently robust?
- Do you have the skills in-house to be able to demonstrate compliance, or would you benefit from bringing in external information security expertise?
Your answers to the above will start the journey to demonstrating compliance, which in turn will enable businesses to harness the full benefits the cloud has to offer.
If you have any questions or would like to find out more then do get in touch with us on: