Cloud Security Basics: Compliance and Certification

Posted by IanH on May 12, 2010

We’ve talked a great deal about security lately, and this will continue to be a key topic for us and for the cloud market. Back in our first post on the security questions you should ask any cloud provider, we asked: “What compliance or other certifications do they possess?”

This is a critical area because compliance with third-party industry standards or mandates can be a “make or break” issue when it comes to deciding if a cloud vendor’s services are aligned with your enterprise’s goals.

Certification & Compliance

Third-party certifications and compliance with industry standards have long been cornerstones of security in the IT services industry. They add an acceptable level of trust in an industry that often can’t agree on how it defines basic and widely used industry terms (such as “cloud computing”). In addition to regular audits and the adoption of generally-accepted industry standards in the realms of access control, encryption and intrusion testing, compliance and certification can act as a seal of approval that a provider will meet your security needs.

Typically, before a potential customer signs on the dotted line, they want to talk security and understand what certifications we possess.  In previous posts, I’ve already outlined the dozens of ways that we ensure security through-and-through our systems, but beyond our own standards, we comply with SAS 70 Type II and PCI DSS mandates.

I’d recommend that you make compliance and certification part of your early discussion with cloud vendors. SAS 70 Type II is a great control mechanism around processes, but if the data you plan to put in the cloud has any personally-identifiable information or financial information, using a cloud vendor that has PCI DSS compliance is a must.

There has been a lot of talk recently about the inability of some cloud providers to achieve PCI compliance. This isn’t a trivial matter, as noncompliance with the PCI standard will restrict many companies from hosting mission critical applications in the cloud. This is particularly true for banks or financial institutions, online merchants and e-Commerce services companies, but may come in to play for companies that occupy any place in the supply chain or demand chain who potentially handle sensitive data.

In the interest of providing more insight into the compliance process, here’s a quick primer on the various types of certifications and standards you should be asking your cloud provider about:

• SAS 70 stands for the Statement on Auditing Standard 70. It was developed and is maintained by the American Institute of Certified Public Accountants (AICPA). Specifically, SAS 70 is a “Report on the Processing of Transactions by Service Organizations”. The standards outlined in SAS 70 must be complied to and then audited by an accredited service auditor, which assesses internal controls of a service organization. Savvy customers will ask for more information about the controls put in place with SAS 70 compliance, for the reasons outlined in this Web Security Journal article by Ellen Rubin. SAS 70 has grown increasingly popular with the implementation of The Sarbanes-Oxley Act as it shows the effectiveness of a service organization’s internal controls and data security safeguards. Hubspan currently holds SAS 70 Type II certification, which covers the general computing controls of Hubspan’s on-demand integration solutions, including key security measures around data protection and infrastructure security.
• The PCI DSS is a set of comprehensive requirements for enhancing payment account data security designed to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design , data management and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. As mentioned previously, Hubspan is currently PCI DSS compliant, and is in the process of finalizing adherence to the most recent 1.2 version.
• A number of groups have proposed further standards and certifications that would be specific to cloud computing. For example, the Cloud Security Alliance recently announced a new a partnership with Novell that will be published in Q4 2010. The certification looks to assemble several third-party standards (such as those of the OpenGrid Forum and the IEEE) into a new standard. While we won’t see the final draft version of this standard until Q4 2010, it is important to note that this new standard will be supplementary to existing standards such as SAS 70 Type II and PCI DSS, especially in the near term. This SearchSecurity article gives a fairly detailed run-down of the CSA’s new certification program and its aims.

Tags: Certification, Cloud Computing, Compliance, Hubspan, PCI-DSS

No Comments »

No comments yet.

Leave a comment