Monday night, I am heading over to the The Evening in the Cloud program at this year’s Enterprise 2.0 Conference. They asked me to help grill the vendors on compliance issue
More software and business operations are being pushed into the cloud. Why buy the hardware and software when someone else will run them for you?
I thought I would put together my thoughts on some of the compliance issues I think about when it comes to cloud computing.
One aspect of records management is ensuring that important records are kept. Importance can be either because of a business need or a regulatory requirement. The other aspect is data destruction. Once that record is not important and no longer required to be kept, you want to make sure it is destroyed and destroyed forever. Multiple backups in multiple places of old records is huge headache when forced into e-discovery and the delivery of records as part of litigation.
Whether you’re in the midst of an audit or an investigation, thorough logs are the key to proving compliance. So how do you prove your organization is (or was) compliant when you aren’t able to maintain logs? Audit trails must be auditable.
Terms of Service.
Consumers are used to clicking through the Terms of Service without reading it. Businesses will read it and want to negotiate it. If the vendor’s Terms of Service has a typical consumer provision allowing the vendor to unilaterally change it, throw that vendor out the door and don’t bother talking with them.
You need to address how a forensic examination of the systems can be run as part of government or internal investigation of wrongdoing.
It is not truly a cloud. There are physical servers that are sitting in a building somewhere. That physical location subjects them to the law of that jurisdiction. There are obviously some countries that you do not want. (Anyone in North Korea?) There are also some questionable locations. There are some companies that don’t want their operations being run on servers located in China. You should not be surprised that some companies do not want their servers in the United States because of the confiscatory provisions of the US PATRIOT Act.
Geography also implicates personal data privacy. If you are using the cloud service to host information about people (employees or customers) you need to think about how the service compliance with the multitude of personal data privacy laws. The most difficult is probably the EU Data Protection Directive.
If your information is combined with another company’s information on the same server, you risk being subject to their wrongdoing. There was a well-publicized raid of a server farm, with law enforcement seizing servers, shutting down businesses with their operations running on those servers.
Credit Card Processing
If you are processing payments, you need to be PCI DSS compliant. If the vendor asks what PCI means, throw them out.
Vendor should have a SAS 70 Type II Audit.
SAS 70 was designed to provide a highly specialized audit of an organization’s internal controls to ensure the proper handling of client data. SAS 70 Type II certification ensures that client data is protected in a data center that is using industry-leading best practices in information technology and security. Vendors that undergo a SAS 70 Type II audit are stringently evaluated on such elements as systems, technology, facilities, personnel management, and detailed processes for handling client data. At the end of a six-month process, vendors receive a comprehensive audit report that includes a description of their operational controls and a description of the auditor’s tests of operating effectiveness. At regular intervals after the initial audit, vendors go through additional audits to maintain their SAS 70 Type II status. In brief, SAS 70 provides assurance that a vendor has put in place comprehensive systems to ensure data security.
Of course, there are other issues. Depending on your industry, some of these may be more of a concern than others.