SOX, PCI, HIPPA, SSAE 16, SOC-2, ISO 270002, NIST . . . . what certifications or compliance standards should legal counsel be looking for when assisting companies in evaluating and selecting a cloud services provider?
In today’s cloud environment, responsibility for security is often shared between the cloud user and cloud services provider (CSP). Cloud security is new, different and often more complex than managing information security in a user-controlled environment. What makes IT controls in the cloud different than other controls is the nature of the cloud - where a failure in controls can instantly impact the entire organization and operations and quickly compromise a company’s entire regulatory compliance program. According to the Cloud Security Alliance, lack of security control transparency is a leading inhibitor to the adoption of cloud services.