Compliance Concerns of Cloud Security

12 10 2011

With list of companies like Google, Amazon, Sales Force, Microsoft, VMware and many others aggressively working on this domain, suggest that this is big and will be growing. Now, with clouds potential to host services like IAAS, SAAS and PAAS, IT management for many of the user organizations will be far simpler and will reduce the cost as well along with many other advantages. These services are provided in the four deployment models. They are Public, Community, Private and Hybrid model.

However, there has been growing concerns on Compliance with Cloud Security in public models of deployment. This needs to be addressed in virtual as well as in physical environment.

The regulation of the specific industry like in health services, financial services and insurance also adds to the complexity of compliance and governance required[i].  It also needs to address the issue of the cross boundary where some information should not cross the boundaries of the country. In some cases, it may violate the national regulation for privacy and audit which governs that organization. Also, the cloud service provider must be complaint with the compliance policies so that the integrity of the data can be maintained. It also possesses an insider threat. One other concern is how the data and information would be destroyed if they switch between the cloud vendors.

To address these concerns, we can choose cloud based services in a more judiciously level like what data needs to uploaded on cloud and who should access that data and with what accesses. We can secure the information with better compliance policies.

Like authentication and authorization policies must be applied so that data and information is only accessible to the concerned personnel only2. Also, confidentiality must be maintained even for the data on cloud. The policies can help the information to be protected at the client as well as vendor location in case of insider threat or if the data is industry specific. Also, if the data or the information is highly confidential and its loss can jeopardize the existence of the company, then company can also opt to host such information on its location and remaining services from the cloud. Security policy like sensitive information labeling policy and sensitive information distribution policy must also be incorporated for a company and a vendor. This will help the unauthorized access to its employee as well as to the admins of the vendor, or access can be granted with limited permissions. The contract should also be in place with vendor for implementation of secure information disposal policy which might be required on termination of contract or when the time has arrived for disposition of data. An audit of vendor’s cloud service center should be done and it must be disclosed with the customers. This will help its clients to be security complaint and will make the vendor aware of the non complaint issues.

The industry specific cross boundary concerns can only be addressed with the help of a vendor (in case of public cloud model), where he must agree to disclose his location of the data and service center.

The cloud vendor if acting as the extension of the client organization will greatly reduce the compliance concerns of cloud and will greatly reduce the security issues.