Latest questions:
Trending questions:
Hot questions:
Cloud services regulation
3 answers
Interesting question, which could be answered based upon your political leanings if the question is specific to government regulations. Yes, for those preferring more government, no for those preferring less government. That aside, standards bodies such as AICPA are already doing things relevant to the cloud:
*What is SOC 2 Compliance?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.ThreatStackCompliance.png
Before 2014, cloud vendors only had to meet SOC 1 (SSAE 16) compliance requirements. Now, any company storing customer data in the cloud must meet SOC 2 compliance requirements in order to minimize risk and exposure to that data.*
If industry feels a need for increased regulations, they should take a leadership role and empower reputable entities to better define and strengthen standard, using non-governmental organizations, AICPA being an example.
I would echo what Gates said and expand just a little bit.
I operate in a fairly highly regulated environment (healthcare provider/HIPAA) that has a relatively agressive cloud first strategy. As such we have an agressive vendor security posture assessment process that requies SOC 2 compliance (or even better HITECH) before we will entertain hosting any data with a cloud provider.
Even with industry or even possible governmental oversight of cloud service providers depending on the level of management they are providing (IaaS, PaaS, SaaS, etc.) there will always be a portion of the security responsiblity that falls to the client. As several of the breaches or downtime events in the last year have illustrated even with a services host that is utilizing security best practices and has compliance documentation if the customer does not also have security practices that ensure that gaps are not created accidentally incidents can still occur. For example the contractor for the RNC that moved a file from a secure portion of S3 storage to a publicly available S3 storage in AWS. No amount of host provided security can make up for change control and other IT best practices in preventing these sorts of incidents.
In my mind one of the risks at this point is assuming the service provider is handling security and that responsibility no longer falls on the client. Once we all understand and agree that security is everyone's responsibility it will be best.
In the meantime providers that have documented and audited compliance should be rewarded with increasing market share and ones that clearly don't take this seriously should suffer as cloud consumers try to manage their risk.