SOX, PCI, HIPPA, SSAE 16, SOC-2, ISO 270002, NIST . . . . what certifications or compliance standards should legal counsel be looking for when assisting companies in evaluating and selecting a cloud services provider?
In today’s cloud environment, responsibility for security is often shared between the cloud user and cloud services provider (CSP). Cloud security is new, different and often more complex than managing information security in a user-controlled environment. What makes IT controls in the cloud different than other controls is the nature of the cloud - where a failure in controls can instantly impact the entire organization and operations and quickly compromise a company’s entire regulatory compliance program. According to the Cloud Security Alliance, lack of security control transparency is a leading inhibitor to the adoption of cloud services.
Company legal counsel need a basic understanding of cloud technology and cloud computing standards in order to manage legal risks and compliance for the company and help ensure that material risks will be prevented or timely detected. Much attention is given to SOX, PCI and HIPAA compliance and ensuring controls over financial reporting, credit card processing and protecting heath care information. However, compliance with these standards does not necessarily ensure the presence and appropriate functioning of other IT and security controls relevant to cloud computing.
While there are standards developed for pre-cloud computing technologies, such as those designed for the Internet, which can also be used to support cloud computing, currently other standards are being developed to specifically address cloud computing functions and requirements, such as virtualization. One of the things that makes the cloud different is the widespread use of virtual machines. In traditional physical networks, servers are long-lived, capacity is mostly static and servers are protected by network security. In cloud computing, servers are rapidly provisioned and use often short-lived, capacity is dynamic and security is rapidly changing. It can be difficult to maintain up-to-date secure configurations on virtual machines that are being activated and inactivated in rapid cycles. Virtual machines that are dormant for any period of time may be improperly secured or introduce security vulnerabilities when activated since virus and security protocols change constantly and such changes may be overlooked in a dormant virtual machine. Also significant is the fact that security and monitoring solutions for virtual networks are still evolving and not as mature as those available for traditional physical networks.
Unfortunately, there is not yet one set of standards consistently used to assess or audit CSPs which makes it difficult for businesses and their counsel to determine whether a CSP has security and other controls appropriate for a particular business. Additionally, significant standardization gaps remain due to the rapidly changing nature of cloud computing and that fact that the majority of standards being applied to cloud computing services are from pre-cloud era technologies. This has resulted in confusion among cloud users and their counsel as they engage in due diligence about CSPs.
Some standards frequently cited in evaluating cloud service providers include: SSAE 16, Service Organization Control (SOC) reports (i.e., SOC 1 and SOC 2), ISO 270002, various NIST standards, and the Cloud Security Alliance’s CAIQ. A fundamental understanding of these standards is needed in order to assess their relevancy to a particular business’ use of cloud computing services.
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (replaces Statement on Auditing Standards (SAS) No. 70), establishes the requirements and guidance for a CPA examining and reporting on a service organization's description of its system and its controls that are likely to be relevant to user entities' internal control over financial reporting. The SSAE No. 16 is frequently referenced by CSPs seeking to demonstrate their credentials as reputable providers of cloud services. Cloud users and legal counsel should understand that the SSAE 16 report is a financial integrity report and is not a cloud-specific standard for which a claim of “SSAE 16 compliance” may be made. The SSAE 16 report addresses whether the CSP followed the protocols and controls that the CSP itself established. The SSAE 16 report is not particularly useful if the CSP’s description of its system was not adequate or sufficiently comprehensive in the first place which makes a CSP’s “SSAE 16 compliant” assertion a potentially meaningless phrase depending on the situation. Cloud users need to review the SSAE 16 report to ensure that it addresses the controls that are important to the cloud user’s business.
SOC 1 reports on the controls at a service provider that may affect assertions in the user entities’ financial statements. SOC 1 reports are intended solely for the information and use of existing user entities, their financial statement auditors and management of the service organization. Similar to the SSAE 16 report, these reports are not specific to cloud services and may not provide information appropriate for assessing a CSP.
SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service provider as it relates to security, availability, processing integrity, confidentiality and privacy. These reports intended for use by customers, regulators, business partners, suppliers, and directors of the service provider that have a thorough understanding of the service provider and its internal controls. Note that similar to SOC 1, the SOC 2 report relies on the service provider’s management’s description of the service provider’s system and the suitability of the design and operating effectiveness of controls. SOC-2 reports are currently viewed as more relevant to evaluating CSPs and related privacy and security controls than SOC-1 reports even though they are not specifically intended for the cloud.
ISO 27000 standards
The ISO 27002: 2013 standard, also known as the Information Technology, Security Techniques, Code of Practice for Information Security Management Standard, is part of the ISO 27000 series of standards and outlines hundreds of potential controls and control mechanisms which may be implemented subject to the guidance provided within ISO 27001. Some companies in Europe and Asia are using ISO 27000 information security standards as the basis for their internal cyber risk assessments.
The Cloud Security Alliance Consensus Assessments Initiative (CAIQ) is focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The CAIQ is available in spreadsheet format, and provides a set of questions a cloud user and cloud auditor may wish to ask of a CSP.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) publishes a number of standards frequently cited by cloud users when evaluating CSPs. NIST was designated by the U.S. federal government to accelerate the federal government’s cloud computing adoption. The NIST Cloud Computing Standards Roadmap (NIST Special Publication 500-291 ver. 2) provides a useful survey of the existing standards landscape for security, portability, and interoperability standards/models/studies/use cases, etc., relevant to cloud computing as well as helpful resources. Appendix A to the Roadmap provides a list of NIST Federal information processing standards and special publications relevant to cloud computing. As the name suggests, the Roadmap provides direction for where to head in identifying relevant standards for cloud computing.
Team approach needed
Securing information systems and ensuring the confidentiality, integrity and availability of information are key concerns in cloud computing since the risks of being compromised is greater in a cloud environment. A team approach is needed to ensure that a company is adequately protected. Legal counsel should work closely with members of the company’s IT, privacy, security and/or compliance teams to select cloud standards that are appropriate to a particular company’s cloud use since risk management in the cloud must address threats specific to the particular cloud deployment model.