What is Cloud Compliance?
Definition đź”—
Cloud Compliance is the art and science of complying with regulatory standards of cloud usage following industry guidelines and local, national, and international laws, like:
- PCI DSS protects credit card information handling
- HIPAA protects a patient’s healthcare information
- SOX protects the financial information of public companies
- GLBA protects the data of financial institution customers
- …
However, they all share a unified goal: keeping sensitive data secure.
Security is a Shared Responsibility đź”—
Cloud involves infrastructure the organization doesn’t own and manage. Hence, many organizations share responsibility with cloud providers for access control.
The cloud provider updates and controls access to the components it administers, including the host operating system, virtualization software, hardware, and facilities.
The organization, in turn, retains responsibility for updating, patching, and controlling access to the components it layers on top of the cloud infrastructure—applications, guest operating systems, and security software.
The organization’s responsibility includes configuring any firewall services provided by the cloud provider that the organization uses for policy enforcement.
This partnership is often described as:
- cloud provider is responsible for the security of the cloud
- organization is responsible for the access to its resources in the cloud
Demystifying Acronyms đź”—
If you dive into the realm of compliance, you stumble upon an endless number of acronyms related to standards and compliance frameworks; here is a list of the most often encounters depending on your geography:
- HIPAA … Health Insurance Portability and Accountability Act - mandates the security of electronic healthcare information, confidentiality and privacy of health-related information, and information access for insurance.
- PCI DSS … Payment Card Industry Data Security Standard - set of security standards enables all organizations to accept, process, store, and transmit credit card and financial information.
- GLBA … Gramm-Leach-Bliley Act - organizations must communicate how user information is shared and protected, provide the right to opt out, and apply specific mandated protections.
- PIPEDA … Personal Information Protection and Electronic Documents Act - provides rules for organizations to handle user information in commercial activities.
- EU GDPR … General Data Protection Regulation - is the most stringent privacy and security regulation, mandates an exhaustive set of requirements on organizations handling the data of European Union (EU) residents. Furthermore, GDPR imposes harsh penalties for noncompliance.
- SOX … Sarbanes–Oxley Act - mandates requirements on financial disclosures, audits, and controls of information systems processing financial information.
- NIST … National Institute of Standards and Technology - provides guidelines on technology-related standards, security, innovation, and economic competitiveness.
- FedRAMP … Federal Risk and Authorization Management Program - is a standardized program for the security assessment and evaluation of cloud-based systems.
- HDS … Certification Hébergeur de Données de Santé - Health Data Hosting Certification ensures to treat personal health details as sensitive data. It is regulated by law to protect our rights. As a result, this critical information has to be hosted with an adequate security level. The HDS Reference System defines these requirements.