242 |
S.R. Chaput and K. Ringwood |
to be, but neither will it necessarily publicize every piece of Personally Identifiable Information (PII) an organization provides, which is what many fear would happen. The largest challenges with respect to engaging the cloud occur in the preparation of a company for the cloud. This typically includes ensuring strong information security governance and a clear understanding of the organization’s legal and regulatory landscape. In fact, outsourcing to the cloud could not be considered successful without previously achieving an organizational security maturity level of four.
Another potential challenge with using the cloud surrounds how significant an influence – if any – an organization can have with respect to modifying the way the cloud operates, imposing and/or strengthening the liability terms of the contracts, requesting and receiving the assurances required from the vendor, and having a firm grasp on the enforcement of the solid legal agreement once it is put in place.
14.1.2 Background
As organizations mature and core competencies are developed, it may seem that onsidering the cloud for specific types of applications, systems, infrastructure, and platforms would be the next logical step. Cloud computing, although potentially more granular and more distributed in nature, is not in fact radically different from traditional outsourcing or off-shoring arrangements: the same amount of diligence and preparation is needed to start such an exercise. Much work on the topic of cloud computing security has already been done by organizations such as the Cloud Security Alliance (http://www.cloudsecurityalliance.org). For more detailed information on the topics discussed here, it is recommended you read the most recent version of their “Security Guidance for Critical Areas of Focus in Cloud Computing”. The “audit & compliance” section of version 1 of that document was the foundation for much of this chapter’s content, albeit at a higher level. The subsequent releases of the Cloud Security Alliance’s Guidance documents will likely go into more detail.
14.1.3 Requirements and Obligations
First, an organization needs to understand the legislative and regulatory landscape in which it resides and operates. If a company processes credit cards, it will likely be subject to the Payment Card Industry’s Data Security Standard (PCI DSS).1 Similarly, if the company handles Personally Identifiable Information (PII), it is
1 https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
14 Cloud Compliance: A Framework for Using Cloud Computing in a Regulated World |
243 |
quite likely that it is subject to various privacy legislations, such as the European Union’s Data Protection Directive (EU DPD),2 or Canada’s Personal Information Protection Electronic Documents Act (PIPEDA),3 thus requiring an organization to follow specific guidelines without deviation or compromise regardless of how well they align with internal policies. These are just two examples of how legislation or regulation can shape a company’s information security structure and alter or add to the needs with which an organization will approach the cloud provider.
14.1.3.1 Regional Laws
It is nearly impossible to list all of the relevant regional laws, which may shape or otherwise affect the requirements necessary to consider when outsourcing to the cloud. As mentioned previously, privacy is an excellent example of a topic with specific regional laws. When looking at Canada and the United States of America, there are dozens of individual laws that are geographically binding and as a result may take priority over others, even though on the whole they may not be substantially different. To further complicate matters, if an organization operates in more than one jurisdiction, it is likely subject to each respective law. This is an area where the lawyers excel and can help an organization understand which regulations will take precedence over others.
To further add to the confusion, agreements such as the International Safe Harbor Privacy Principles4 can make an organization subject to laws in areas where it does not even operate. A good example would be the US-EU Safe Harbor agreement5 meant to provide a streamlined process for companies outside the EU’s jurisdiction that will have a chance – by demonstrating compliance with EU Directive 95/42/EC on protection of personal data – to gain the benefits of trade with EU companies requiring reciprocal compliance. This means that not only does an organization need to know its immediate legal responsibilities in respect to the region(s) within which it operates, but it also must stay ahead and aware of the additional types of arrangements to which it is privy and understand the related requirements.
Several Canadian provinces experienced an incredible effect of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act6 of the USA, even though the same provinces were not typically subject to foreign laws, not withstanding those of its closest neighboring country. Many government agencies were not permitted to use providers whose systems were physically in the USA, for the fear that their hosted data would
2 http://ec.europa.eu/justice_home/fsj/privacy/docs/lawreport/paper/ispa_en.pdf
3 http://www.priv.gc.ca/legislation/02_06_01_e.cfm
4 http://www.trade.gov/td/ecom/shprin.html
5 http://www.export.gov/safeharbor/eg_main_018236.asp
6 http://epic.org/privacy/terrorism/hr3162.html