menu

Cloud services regulation

0
1358 views

Assuming that, as of today, cloud solutions and architectures are quite defined (with respect to 6-7 years ago) is that the right time for tighter regulations on cloud services simplifying aspect like data protection, security and acceptable scope of service ?

Daniele Vanzanelli
38 months ago

3 answers

1

Interesting question, which could be answered based upon your political leanings if the question is specific to government regulations. Yes, for those preferring more government, no for those preferring less government. That aside, standards bodies such as AICPA are already doing things relevant to the cloud:

*What is SOC 2 Compliance?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.ThreatStackCompliance.png
Before 2014, cloud vendors only had to meet SOC 1 (SSAE 16) compliance requirements. Now, any company storing customer data in the cloud must meet SOC 2 compliance requirements in order to minimize risk and exposure to that data.*

If industry feels a need for increased regulations, they should take a leadership role and empower reputable entities to better define and strengthen standard, using non-governmental organizations, AICPA being an example.

Gates Ouimette
38 months ago
Gates, thank you for your answer. I agree with your point of view but my point was more general and it was about clear regulations on contracts. I know SOC 2 but it doesn't cover (as far as I know) contractual aspects like SLAs, security, pricing models and so on. - Daniele 38 months ago
0

Great response, Gates!

Phil Wilson
38 months ago
0

I would echo what Gates said and expand just a little bit.
I operate in a fairly highly regulated environment (healthcare provider/HIPAA) that has a relatively agressive cloud first strategy. As such we have an agressive vendor security posture assessment process that requies SOC 2 compliance (or even better HITECH) before we will entertain hosting any data with a cloud provider.
Even with industry or even possible governmental oversight of cloud service providers depending on the level of management they are providing (IaaS, PaaS, SaaS, etc.) there will always be a portion of the security responsiblity that falls to the client. As several of the breaches or downtime events in the last year have illustrated even with a services host that is utilizing security best practices and has compliance documentation if the customer does not also have security practices that ensure that gaps are not created accidentally incidents can still occur. For example the contractor for the RNC that moved a file from a secure portion of S3 storage to a publicly available S3 storage in AWS. No amount of host provided security can make up for change control and other IT best practices in preventing these sorts of incidents.
In my mind one of the risks at this point is assuming the service provider is handling security and that responsibility no longer falls on the client. Once we all understand and agree that security is everyone's responsibility it will be best.
In the meantime providers that have documented and audited compliance should be rewarded with increasing market share and ones that clearly don't take this seriously should suffer as cloud consumers try to manage their risk.

Christopher Carrington
38 months ago
Chris, love your last sentence "providers that have documented and audited compliance should be rewarded with increasing market share and ones that clearly don't take this seriously should suffer as cloud consumers try to manage their risk." That summarizes it in a nutshell. - Gates 38 months ago

Have some input?