Compliance requirements and recommendations for enterprise cloud security

In the process of using cloud computing, enterprises are confronted with a great security problem, which needs to meet the compliance requirements of competent departments at all levels, this article will introduce the compliance requirements and coping methods of enterprise cloud computing.

Compliance overall requirements for enterprise cloud computing

The choice of an enterprise to migrate its business from traditional data centers to cloud computing data centers will face new security challenges, one of the most important of which is compliance with the many regulatory regulations that govern compliance with delivery, measurement, and communication. Cloud computing services users and suppliers need to understand and master the differences and implications of current compliance and auditing standards, processes, and practices. The nature of cloud computing's distribution and virtualization requires significant framework tuning based on materialized information and process entities.

The centralized and unified management platform enables cloud computing to have the potential to enhance transparency and assurance capabilities. In addition, the outsourcing options offered by cloud service providers reduce compliance dependency on scale. Corporate compliance, which would have been costly before the cloud computing era, would allow companies (both profitable and non-profit) to gain market access by providing compliance solutions for the first time by cloud service providers. The Government and other organizations that are inherently in conflict with it are taking security and compliance into account and will be more active in the cloud computing model, with some of the compliance requirements being met through contractual obligations.

In addition, for cloud service providers and users, their regulatory and auditing bodies are increasingly adapting to the new domain of cloud computing. Only a handful of laws and regulations are written for a virtualized environment or a security certificate for a cloud deployment model. Cloud computing users will have a challenge in proving their organization's compliance with the audit body. Understanding the relevance of cloud computing to the regulatory environment will be a key element of any "cloud" strategy. Cloud users must consider and understand the following points:

To give special attention to the application of cross-border or multiple jurisdictions to specific cloud services or service provider regulatory implications;

Distribution of compliance responsibilities for cloud service providers and users, including indirect providers (such as cloud service providers of your cloud services provider);

Cloud service provider's compliance presentation capabilities, including timely documentation generation, evidence generation, and process compliance;

The relationship between the user, the service provider, and the auditing authority (the user and service provider) to ensure that access is as needed (as appropriate) and is aligned with the governance requirements.

Cloud Computing Compliance Recommendations

Specifically, enterprises in compliance, should focus on the following aspects of work:

Corporate governance: an organization that balances the balance between shareholders, boards of directors and management to provide consistency in management, guidelines, guidelines and controls, and to support effective decision-making;

Enterprise risk Management: Organizations adopt methodologies and processes (frameworks) to ensure balanced decision-making based on the identification of specific events and scenarios related to organizational goals (risks and opportunities), the assessment of potential and impact levels, the adoption of response strategies, and progress monitoring to protect and create shareholder value;

Compliance and audit Guarantee: to sort, reserve and initiate necessary corrective actions by assessing compliance status to perceive and follow corporate obligations (CSR, ethical standards, applicable laws, laws, regulations, contracts, strategies, and policies), assess risk and non-compliance costs, and achieve compliance costs.

The information technology used by the cloud is subject to increasing guidelines and laws and regulations. All shareholders expect the organization to proactively comply with multiple regulatory guidelines and requirements. It governance is necessary to meet relevant requirements, and all organizations also need to adopt strategies to implement the requirements. Governance includes processes and guidelines that can successfully reach organizational goals under the constraints of the external environment. Governance requires compliance activities to ensure that operations fully meet these processes and guidelines. In this sense, compliance focuses on external requirements (laws, regulations, industrial standards), and governance is matched with internal requirements (Board decisions, corporate Guidelines) compliance can be defined as perceptions and compliance with corporate obligations (CSR, applicable law, ethical guidelines), Includes assessment and sequencing of appropriate and necessary corrective measures. In some highly regulated environments, transparency can complement internal-specific strategies and become an advantage rather than a constraint to organizational efficiency. Laws and regulations are usually of great importance to information technology and its governance, especially in the areas of monitoring, management, protection and release. It governance is the supporting factor of enterprise overall management, enterprise risk management, compliance and audit/guarantee.

The cloud becomes a governance and compliance assistive technology that enables centralized control and transparency through the management platform, especially the internal management cloud. Through the impact of cloud services, organizations under a certain scale can reach the same level of compliance with larger, more resource-advantaged businesses. Safety and security services become a way for third parties to participate in compliance assessment and communication.

Any compliance approach will involve the entire organization, including IT departments. The role of external suppliers requires careful consideration, responsibility for directly or indirectly incorporating them into governance, and a clear distribution within the user organization.

In addition, the following standards represent the cloud security standards issued by ISO/IEC and ITU-T:

ISO/IEC 27017: Cloud computing Security and privacy management system security Control

ISO/IEC27036-X: Many standards involve supplier relationship Management information security, and follow-up plans will be included as part of the cloud supply chain

ITU-T X.CCSEC: Security guidelines for cloud computing in communications

ITU-T X.srfcts: cloud-based communication service environment security requirements and framework (x.srfcts)

ITU-T X.SFCSE: Software as a service (SaaS) application environment security functional requirements