Four must-read recommendations on cloud computing compliance

Cloud rules are pervasive in government regulations such as the Sarbanes Act (SOX) and EU data protection laws, as small as industry regulations, such as the payment Card Industry Data Security Standard (PCI DSS) and the American Health Insurance Portability and Accountability Act (HIPAA). You may have achieved internal control, but in the process of moving to a public cloud infrastructure platform or cloud-based application suite, you have to give up some control over the cloud provider.

That's a big worry for many auditors, CIOs and CEOs today. They are eager to know: how to vigorously develop the "cloud" while adhering to the cloud rules, to avoid reputation damage. Some analysts, suppliers and consultants have made the following recommendations on this issue:

1. Understand the impact of cloud on it workloads

When you evaluate cloud vendors, try to find vendors who can provide good strategies for user identity, access management, data protection, and incident response. This is the most basic compliance requirement. Then, once you have specific compliance requirements for future suppliers, you will likely encounter specific "cloud" challenges.

Data positioning is one of them. The EU Data Protection Act, for example, prohibits the outflow of personal information from EU residents. Therefore, your cloud provider must ensure that EU customer information is kept on European servers.

Multiple tenant and cleanup configurations also pose challenges. Public cloud providers employ a multi-tenant architecture to reduce server workloads while reducing costs. But that means sharing server space with other businesses. So you have to be aware of what protection the cloud provider can offer to avoid compromising with other businesses. Depending on how important the data is, you may need to encrypt it. For example, the American Health Insurance Portability and Accountability Act (HIPAA) requires that all user data be encrypted regardless of whether the data is being used.

As password identity authentication technology becomes more complex, it is increasingly challenging for users to clean up their configuration. Admittedly, the Federated Identity Management program helps users more easily log on to multiple "clouds," but it also makes configuration cleanup more tricky. "When employees leave the company, you want to click the button, you can automatically close their Windows account and all enterprise internal applications." At the same time, you want employees ' mobile phones to have no access to corporate information, and employees have no access to enterprise SaaS applications. "The automatic cleanup configuration has not yet been implemented at the same time as the cloud platform and the internal deployment system," said Tom Kemp, Centrify president of the Identity Management and compliance tool provider.

2. Tracking the changing cloud standards

Like it or not, you are the early adopters of the cloud. Which applications are migrated to the cloud? When do you migrate? Deepening the understanding of new cloud computing standards helps make better choices.

Today you can refer to SAS Type II and ISO 270,012 standards to comply with government and industry regulations on financial and information security. But these standards are not necessarily suitable for company development.

"Standards such as ISO 27001 and SAS 70 are effective but may be outdated." "When it comes to data security, identity management and administrator control, these standards are not very specific," said Jonathan Penn, vice president and chief analyst at Forrester Research, a market researcher. We have to let users know what's coming, and now it's almost a "black box." ”

Increased transparency is a major goal of the Cloud Security Alliance (CSA). CSA has been established for 3 years by users, auditors and service providers of the broad welcome, the main goal is to standardize the audit framework to enhance communication between users and cloud providers.

Currently, the GRC (monitoring, risk and compliance) Standard Suite is progressing well, with 4 major elements: Cloud Trust protocol, Cloud Audit, consensus assessment initiative and cloud Control matrix. Among them, the cloud control matrix lists the basic requirements that enterprises comply with their IT control domain standards, such as "Human resources-termination of employment relationship" in spreadsheet form. The Consensus Assessment initiative provides a detailed questionnaire on users and auditors ' specific expectations of suppliers in the area of control.

Based on CSA and other alliances, including industry groups, government agencies, the joint efforts of the next few years, the new standards will emerge. CSA has been formally aligned with ISO (International Organization for Standardization), the ITU (ITU), NIST (American National Standards and Technology Association) to help these organizations further refine their standards. As of the end of 2010, 48 industry groups have worked on cloud safety-related standards, according to research firm Forrester Research.