Shouldering the burden of compliance

The benefits of cloud computing are well documented, however organisations often overlook the impact cloud services can have on compliance and governance.

When moving to a cloud service provider (CSP) there is often a misconception that once data is transferred, organisations can wash their hands of all responsibility, leaving it entirely with the CSP to ensure compliance and risk practices are observed. This is not the case. In fact, when working with a CSP, the complexities of compliance are often increased.

By nature, cloud computing necessitates greater transparency and control in comparison with traditional, on premise IT solutions, as systems become more complex and stakeholders more varied. Organisations are essentially giving direct access to their systems to the CSP, significantly increasing the number of potential failure points. It is essential, therefore, to determine whose responsibility it is to ensure governance standards for performance, security, confidentiality and integrity are met.

A move to cloud services requires an organisation to truly realise how risks to their business will increase or evolve over time, in order to identify weaknesses and employ the necessary processes to maintain watertight security. A good service provider will help you to do this; a bad (or badly managed) provider could end up being a weak link in the chain. This is why it is so important for businesses to build a strong and collaborative relationship with their CSP, in order to effectively share the burden of compliance.

The level of involvement required from an organisation and its service provider, or the ‘division of labour’, depends heavily on the governance standard in question. Below we discuss four key governance standards and where the division of responsibility lies within each.

ISO 27001
ISO 27001 is an international standard that describes best practice information management in organisations. It is part of a wider set of standards called the ISO/IEC 27000, which is managed by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC).

In order to become ISO 27001 certified, a risk assessment must be undertaken at least annually or in the event of significant changes to the information system. A move to cloud services using a CSP would necessitate a full risk assessment to be carried out in order to realise any increase, decrease or evolution of risk to the business.

Working with a service provider that is also ISO 27001 certificated will further offset any risks, as they too will have to complete the necessary risk assessments to identify and mitigate any threats to data security. However, even if a CSP is certificated, they are not necessarily accountable for the integrity of your data. Sound contracts should be in place, detailing where responsibility lies between parties. It remains the organisation’s duty to define comprehensive SLAs within these contracts, stating how services will be delivered, how they will be measured and any associated penalties.
It is possible to work with a CSP that is not ISO 27001 certificated, but this necessarily increases the risk to your business. Risk assessments will flag the need for external audits on the systems and processes in place within the CSP’s organisation, in order to highlight the appropriate controls that should be implemented. This obviously puts a further burden on your resources.

PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council, which was originally formed by Visa, MasterCard, American Express, JCB and Discover Financial Services.

Unlike ISO 27001, PCI DSS is more prescriptive in that it outlines specifics as to how networks and firewalls must be designed and configured in order to provide a minimum level of segregation between system components, rather than allowing the organisation to decide based on risk.
As PCI DSS is a technical, prescriptive standard, the architecture of the cloud platform, and any virtual and physical network components and firewalls, will be examined to ensure the design and configuration complies with the requirements.

The merchant is ultimately responsible for end-to-end compliance and must consequently ensure it is very clearly defined in any third party contracts, such as with a CSP. A ‘Roles & Responsibilities’ table is typically used to assign owners to each individual PCI DSS requirement, and includes any tasks that require joint ownership.

Business Impact Level: IL3
IL3 is a category of risk on the seven-point Business Impact Level scale issued by the Communications-Electronics Security Group (CESG) in conjunction with the Cabinet Office, which is employed throughout all HM Government departments to classify information systems.
It is designed to identify and assess technical information risk for documents and assets of various classification levels which correlate to the Government’s security classification hierarchy, ranging from IL 0 (i.e., information that would have no impact if compromised) to IL6 (information that would have severe consequences if compromised).

IL3 is used for any data that could disadvantage, damage or cause embarrassment to major UK companies, government bodies or diplomatic relations. It has recently come to prominence due to the G-Cloud framework, which has introduced pan-government accreditation, increasing the number of CSPs able to serve departments holding IL3 data. The accreditation process uses ISO 27001 as a baseline – any CSP that is ISO 27001 certificated can be accredited by the same body to IL2.

Sarbanes-Oxley
Sarbanes-Oxley (SOX) is legislation that was introduced following a number of high-profile accounting scandals such as Enron and WorldCom. Its primary purpose is to reduce the opportunity for commercial fraud in an organisation and ensure all accounting activities can be audited so even if fraud takes place it will not go unnoticed.

Although Sarbanes-Oxley is American legislation, any large international company with registered equity or debt securities with the SEC (Securities and Exchange Commission) and any company listed on the US stock markets may be liable for compliance.

As well as making sure your own internal systems are compliant, any organisation using a SaaS accounting system must ensure that the applications and deployment models of the SaaS provider are also fully compliant in terms of retention capacity and accessibility.
In addition, contractual agreements with CSPs must ensure controls are implemented that prevent unauthorised access to the information, therefore preventing records being changed or deleted.

Compliance is nothing new
Compliance isn’t new, nor is managing the involvement of third parties, but cloud computing does bring different compliance challenges. With cloud services, the CSP takes some of the onus from the customer, and the responsibility is shared. While the buck ultimately stops with the business to carry out internal assessments and ensure the correct controls and SLAs are in place, CSPs can take an active role in the process.

When looking at these key governance standards, it’s imperative to understand the differences that exist between them in terms of the division of responsibility between an organisation and its CSP. IT departments need to be aware of the questions they should be asking their CSP, in terms of data retention and deletion policies for example, and the service provider needs to understand how to satisfy those requirements.
Peter Groucutt, Managing Director, Databarracks