Cloud computing is gradually maturing. Auditable standards are emerging. SAS70, PCI and HIPAA govern the design of cloud vendor platforms. Controls under different categories are being put in place to guarantee integrated compliance to the customer.
Physical security, application security, policy based security, security process or security standards—these are some of the terms that come up every time there is a discussion around compliance. What do these terms mean? How are these terms defined under different acts? What are the points of similarity or difference in the conceptualization and definition?
SAS70 is an auditing standard. It is flexible. It prescribes compliance standards. Cloud vendors can select their own controls and goals the controls aim to achieve. So, no two evaluations of SAS 70 compliance by an enterprise, carried out by independent auditors will be the same. This also precludes the possibility of comparing one cloud service provider with another cloud service provider.
PCI is not so flexible. It identifies a required set of controls even where the set of controls can be determined by the service provider. Vendors are free to put in an additional set of controls. So, with PCI, two evaluation reports on compliance will have a set of comparable features and a set of different features that may or may not be comparable. PCI is stricter than SAS 70, but PCI requirements can form a subset of the controls that are put in place by vendors for SAS70 certification.
HIPAA is a subset of the PCI. If a cloud service provide is PCI compliant, then the company is automatically HIPAA compliant.
Having said this, it is important to acknowledge that integration of compliance begins with common sense and understanding of what compliance really involves.
The cloud service provider’s infrastructure is the foundation for compliance. Infrastructure controls include protection of the facility from manmade and natural disasters, ensuring continuous and reliable supply of power and replication, mirroring and backup of servers for high availability, reliability and accessibility of services in the event of hardware failure. The controls required will extend to evaluation of the policies and processes of the vendor and employee authorization protocols. Internal security reviews will also be reported upon.
Application controls require multiple levels of security. Customer information must be protected against malware and other kinds of infections. Privacy of customer data must be ensured with layered authentication and authorization protocols. Security of the data must be automatic with data encryption during transmission and storage with encryption keys under customer control. Finally, customers should be in a position to integrate enterprise policies and standards into data backup and storage methodologies.