Meeting Compliance Requirements while using Cloud Services

1. Introduction

Many businesses are required to meet certain compliance requirements either by the government or by the industry in which they operate. For many years businesses were able to gather the necessary data for compliance because they owned their IT system. With the popularity of cloud computing many businesses, both large and small which use cloud services, have to gather the necessary data in order to meet the compliance requirements. In this chapter we will identify the necessary compliance requirements and how businesses could meet those requirements with respect to some of the major laws and industry requirements. These are: Health Insurance and Portability Act (HIPAA), Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA), Payment Card Industry (PCI), and Statement on Auditing Standards 70 (SAS 70). These requirements are put in place to provide adequate security and privacy for the data related to financial transactions, health care records, and credit cards. Some of these laws were enacted to address the abuse of trust placed in businesses. All the requirements specified in this chapter relate to laws and requirements in USA. Because of the worldwide reach of many multinational corporations in USA many of these laws and requirements extend beyond USA and are applicable in other countries as well when they relate to businesses in USA. Thus the implications of the use of the cloud services globally have implications when it is related to an American business.

Use of cloud services by its very design leaves the control of the computing infrastructure outside the control of the business using the cloud service. Many surveys have confirmed that this lack of control is a major concern for businesses when it comes to data security. Some technologies are better suited to protecting confidential information than others. Antonopoulos and Gillam discuss many of the fundamental issues associated with cloud computing in their book (Antonopoulos, 2010). Their book provides further amplification on many of the topics discussed in this book. Information Technology is a necessary conduit to facilitate business transactions of all kinds. Today businesses gather vast amounts of data effortlessly from every type of action an individual performs with a business. Some of these data may contain confidential information related to a person’s health or financial standing. The various laws and industry requirements that we will discuss in this chapter address aspects related to privacy and security of such data. In many cases the requirements involve processes and data flow aspects that businesses follow. For the cloud computing industry there is an international organization called Cloud Security Alliance (CSA) that offers guidelines and forums (Cloud Security Alliance, 2013). CSA is the leading industry supported group that provides guidelines to service providers and customers worldwide. Major corporations and government agencies that participate in CSA activities are: Amazon Web Services, Google, Microsoft, HP, Cisco, RSA, Rackspace, Oracle, US Department of Defense, and Salesforce.