Technology: Navigating compliance standards in the clouds
A fundamental understanding of some basic standards is needed in order to assess their relevancy to a particular business use of cloud computing services.
November 08, 2013 at 03:00 AM
14 minute read
The original version of this story was published on Law.com
SOX, PCI, HIPPA, SSAE 16, SOC-2, ISO 270002, NIST . . . . what certifications or compliance standards should legal counsel be looking for when assisting companies in evaluating and selecting a cloud services provider?
In today's cloud environment, responsibility for security is often shared between the cloud user and cloud services provider (CSP). Cloud security is new, different and often more complex than managing information security in a user-controlled environment. What makes IT controls in the cloud different than other controls is the nature of the cloud – where a failure in controls can instantly impact the entire organization and operations and quickly compromise a company's entire regulatory compliance program. According to the Cloud Security Alliance, lack of security control transparency is a leading inhibitor to the adoption of cloud services.
Company legal counsel need a basic understanding of cloud technology and cloud computing standards in order to manage legal risks and compliance for the company and help ensure that material risks will be prevented or timely detected. Much attention is given to SOX, PCI and HIPAA compliance and ensuring controls over financial reporting, credit card processing and protecting heath care information. However, compliance with these standards does not necessarily ensure the presence and appropriate functioning of other IT and security controls relevant to cloud computing.
While there are standards developed for pre-cloud computing technologies, such as those designed for the Internet, which can also be used to support cloud computing, currently other standards are being developed to specifically address cloud computing functions and requirements, such as virtualization. One of the things that makes the cloud different is the widespread use of virtual machines. In traditional physical networks, servers are long-lived, capacity is mostly static and servers are protected by network security. In cloud computing, servers are rapidly provisioned and use often short-lived, capacity is dynamic and security is rapidly changing. It can be difficult to maintain up-to-date secure configurations on virtual machines that are being activated and inactivated in rapid cycles. Virtual machines that are dormant for any period of time may be improperly secured or introduce security vulnerabilities when activated since virus and security protocols change constantly and such changes may be overlooked in a dormant virtual machine. Also significant is the fact that security and monitoring solutions for virtual networks are still evolving and not as mature as those available for traditional physical networks.
Unfortunately, there is not yet one set of standards consistently used to assess or audit CSPs which makes it difficult for businesses and their counsel to determine whether a CSP has security and other controls appropriate for a particular business. Additionally, significant standardization gaps remain due to the rapidly changing nature of cloud computing and that fact that the majority of standards being applied to cloud computing services are from pre-cloud era technologies. This has resulted in confusion among cloud users and their counsel as they engage in due diligence about CSPs.
Some standards frequently cited in evaluating cloud service providers include: SSAE 16, Service Organization Control (SOC) reports (i.e., SOC 1 and SOC 2), ISO 270002, various NIST standards, and the Cloud Security Alliance's CAIQ. A fundamental understanding of these standards is needed in order to assess their relevancy to a particular business' use of cloud computing services.
SSAE 16
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (replaces Statement on Auditing Standards (SAS) No. 70), establishes the requirements and guidance for a CPA examining and reporting on a service organization's description of its system and its controls that are likely to be relevant to user entities' internal control over financial reporting. The SSAE No. 16 is frequently referenced by CSPs seeking to demonstrate their credentials as reputable providers of cloud services. Cloud users and legal counsel should understand that the SSAE 16 report is a financial integrity report and is not a cloud-specific standard for which a claim of “SSAE 16 compliance” may be made. The SSAE 16 report addresses whether the CSP followed the protocols and controls that the CSP itself established. The SSAE 16 report is not particularly useful if the CSP's description of its system was not adequate or sufficiently comprehensive in the first place which makes a CSP's “SSAE 16 compliant” assertion a potentially meaningless phrase depending on the situation. Cloud users need to review the SSAE 16 report to ensure that it addresses the controls that are important to the cloud user's business.
SOC 1 reports on the controls at a service provider that may affect assertions in the user entities' financial statements. SOC 1 reports are intended solely for the information and use of existing user entities, their financial statement auditors and management of the service organization. Similar to the SSAE 16 report, these reports are not specific to cloud services and may not provide information appropriate for assessing a CSP.
SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service provider as it relates to security, availability, processing integrity, confidentiality and privacy. These reports intended for use by customers, regulators, business partners, suppliers, and directors of the service provider that have a thorough understanding of the service provider and its internal controls. Note that similar to SOC 1, the SOC 2 report relies on the service provider's management's description of the service provider's system and the suitability of the design and operating effectiveness of controls. SOC-2 reports are currently viewed as more relevant to evaluating CSPs and related privacy and security controls than SOC-1 reports even though they are not specifically intended for the cloud.
ISO 27000 standards
The ISO 27002: 2013 standard, also known as the Information Technology, Security Techniques, Code of Practice for Information Security Management Standard, is part of the ISO 27000 series of standards and outlines hundreds of potential controls and control mechanisms which may be implemented subject to the guidance provided within ISO 27001. Some companies in Europe and Asia are using ISO 27000 information security standards as the basis for their internal cyber risk assessments.
CSA's CAIQ
The Cloud Security Alliance Consensus Assessments Initiative (CAIQ) is focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The CAIQ is available in spreadsheet format, and provides a set of questions a cloud user and cloud auditor may wish to ask of a CSP.
NIST standards
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) publishes a number of standards frequently cited by cloud users when evaluating CSPs. NIST was designated by the U.S. federal government to accelerate the federal government's cloud computing adoption. The NIST Cloud Computing Standards Roadmap (NIST Special Publication 500-291 ver. 2) provides a useful survey of the existing standards landscape for security, portability, and interoperability standards/models/studies/use cases, etc., relevant to cloud computing as well as helpful resources. Appendix A to the Roadmap provides a list of NIST Federal information processing standards and special publications relevant to cloud computing. As the name suggests, the Roadmap provides direction for where to head in identifying relevant standards for cloud computing.
Team approach needed
Securing information systems and ensuring the confidentiality, integrity and availability of information are key concerns in cloud computing since the risks of being compromised is greater in a cloud environment. A team approach is needed to ensure that a company is adequately protected. Legal counsel should work closely with members of the company's IT, privacy, security and/or compliance teams to select cloud standards that are appropriate to a particular company's cloud use since risk management in the cloud must address threats specific to the particular cloud deployment model.
SOX, PCI, HIPPA, SSAE 16, SOC-2, ISO 270002, NIST . . . . what certifications or compliance standards should legal counsel be looking for when assisting companies in evaluating and selecting a cloud services provider?
In today's cloud environment, responsibility for security is often shared between the cloud user and cloud services provider (CSP). Cloud security is new, different and often more complex than managing information security in a user-controlled environment. What makes IT controls in the cloud different than other controls is the nature of the cloud – where a failure in controls can instantly impact the entire organization and operations and quickly compromise a company's entire regulatory compliance program. According to the Cloud Security Alliance, lack of security control transparency is a leading inhibitor to the adoption of cloud services.
Company legal counsel need a basic understanding of cloud technology and cloud computing standards in order to manage legal risks and compliance for the company and help ensure that material risks will be prevented or timely detected. Much attention is given to SOX, PCI and HIPAA compliance and ensuring controls over financial reporting, credit card processing and protecting heath care information. However, compliance with these standards does not necessarily ensure the presence and appropriate functioning of other IT and security controls relevant to cloud computing.
While there are standards developed for pre-cloud computing technologies, such as those designed for the Internet, which can also be used to support cloud computing, currently other standards are being developed to specifically address cloud computing functions and requirements, such as virtualization. One of the things that makes the cloud different is the widespread use of virtual machines. In traditional physical networks, servers are long-lived, capacity is mostly static and servers are protected by network security. In cloud computing, servers are rapidly provisioned and use often short-lived, capacity is dynamic and security is rapidly changing. It can be difficult to maintain up-to-date secure configurations on virtual machines that are being activated and inactivated in rapid cycles. Virtual machines that are dormant for any period of time may be improperly secured or introduce security vulnerabilities when activated since virus and security protocols change constantly and such changes may be overlooked in a dormant virtual machine. Also significant is the fact that security and monitoring solutions for virtual networks are still evolving and not as mature as those available for traditional physical networks.
Unfortunately, there is not yet one set of standards consistently used to assess or audit CSPs which makes it difficult for businesses and their counsel to determine whether a CSP has security and other controls appropriate for a particular business. Additionally, significant standardization gaps remain due to the rapidly changing nature of cloud computing and that fact that the majority of standards being applied to cloud computing services are from pre-cloud era technologies. This has resulted in confusion among cloud users and their counsel as they engage in due diligence about CSPs.
Some standards frequently cited in evaluating cloud service providers include: SSAE 16, Service Organization Control (SOC) reports (i.e., SOC 1 and SOC 2), ISO 270002, various NIST standards, and the Cloud Security Alliance's CAIQ. A fundamental understanding of these standards is needed in order to assess their relevancy to a particular business' use of cloud computing services.
SSAE 16
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (replaces Statement on Auditing Standards (SAS) No. 70), establishes the requirements and guidance for a CPA examining and reporting on a service organization's description of its system and its controls that are likely to be relevant to user entities' internal control over financial reporting. The SSAE No. 16 is frequently referenced by CSPs seeking to demonstrate their credentials as reputable providers of cloud services. Cloud users and legal counsel should understand that the SSAE 16 report is a financial integrity report and is not a cloud-specific standard for which a claim of “SSAE 16 compliance” may be made. The SSAE 16 report addresses whether the CSP followed the protocols and controls that the CSP itself established. The SSAE 16 report is not particularly useful if the CSP's description of its system was not adequate or sufficiently comprehensive in the first place which makes a CSP's “SSAE 16 compliant” assertion a potentially meaningless phrase depending on the situation. Cloud users need to review the SSAE 16 report to ensure that it addresses the controls that are important to the cloud user's business.
SOC 1 reports on the controls at a service provider that may affect assertions in the user entities' financial statements. SOC 1 reports are intended solely for the information and use of existing user entities, their financial statement auditors and management of the service organization. Similar to the SSAE 16 report, these reports are not specific to cloud services and may not provide information appropriate for assessing a CSP.
SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service provider as it relates to security, availability, processing integrity, confidentiality and privacy. These reports intended for use by customers, regulators, business partners, suppliers, and directors of the service provider that have a thorough understanding of the service provider and its internal controls. Note that similar to SOC 1, the SOC 2 report relies on the service provider's management's description of the service provider's system and the suitability of the design and operating effectiveness of controls. SOC-2 reports are currently viewed as more relevant to evaluating CSPs and related privacy and security controls than SOC-1 reports even though they are not specifically intended for the cloud.
ISO 27000 standards
The ISO 27002: 2013 standard, also known as the Information Technology, Security Techniques, Code of Practice for Information Security Management Standard, is part of the ISO 27000 series of standards and outlines hundreds of potential controls and control mechanisms which may be implemented subject to the guidance provided within ISO 27001. Some companies in Europe and Asia are using ISO 27000 information security standards as the basis for their internal cyber risk assessments.
CSA's CAIQ
The Cloud Security Alliance Consensus Assessments Initiative (CAIQ) is focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The CAIQ is available in spreadsheet format, and provides a set of questions a cloud user and cloud auditor may wish to ask of a CSP.
NIST standards
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) publishes a number of standards frequently cited by cloud users when evaluating CSPs. NIST was designated by the U.S. federal government to accelerate the federal government's cloud computing adoption. The NIST Cloud Computing Standards Roadmap (NIST Special Publication 500-291 ver. 2) provides a useful survey of the existing standards landscape for security, portability, and interoperability standards/models/studies/use cases, etc., relevant to cloud computing as well as helpful resources. Appendix A to the Roadmap provides
Team approach needed
Securing information systems and ensuring the confidentiality, integrity and availability of information are key concerns in cloud computing since the risks of being compromised is greater in a cloud environment. A team approach is needed to ensure that a company is adequately protected. Legal counsel should work closely with members of the company's IT, privacy, security and/or compliance teams to select cloud standards that are appropriate to a particular company's cloud use since risk management in the cloud must address threats specific to the particular cloud deployment model.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute readWhy ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250