There is a whole panoply of rules and regulations. Some of these probably apply to your business. The regulations don’t change because you move into the Cloud, but you have added at least one more partner that must be included: your Cloud Service Provider (CSP). In some cases, the CSP can actually handle the compliance for you, and there is a new Cloud model, the Community Cloud, that is aiming at making compliance easier.
The Community Cloud is a Public Cloud that is limited to a specific set of organizations with similar security requirements. They can share infrastructure or even software solutions and realize the financial and agility benefits of Cloud Computing. Since there are fewer users to share the costs, this option is more expensive than a standard Public Cloud but less costly than each organization going it alone. By focusing on a single set of requirements, the Community Cloud CSP can offer a higher level of privacy, security and policy compliance. Perhaps more importantly, the CSP can have the trained staff that understands these security requirements thus providing a more secure and consistent environment than each individual organization can likely afford.
A partial list of US compliance regulations:
- GLBA (Gramm-Leach Bliley Act, aka Financial Services Modernization Act of 1999)
- SOX (Sarbanes-Oxley, aka Corporate and Auditing Accountability and Responsibility Act)
- PCI-DSS (Payment Card Industry Data Security Standard)
Required of every organization that handles credit or debit card information. This is probably the most strict compliance requirement outside of military/intelligence highly classified environments. The DSS specifies an annual audit by a certified third party.
- There are financial and criminal penalties for non-compliance with any of these. Mess up on PCI-DSS twice in a row and you can lose the right to process payment cards.
- HIPAA (Health Insurance Portability and Accountability Act)
HIPAA protects Electronic Private Health Information (EPHI). It has rules on administrative, physical & technical safeguards to protect confidentiality, integrity, & availability of EPHI. A side effect of HIPAA is the form you have to sign at least annually to allow your doctor to even talk to you about your health, and specifies who else the doctor can talk to about you.
- HITECH (Health Information Technology for Economic and Clinical Health Act)
Covers the security of transmission of EPHI data.
- There are financial and criminal penalties for non-compliance with both HIPAA and HITECH, plus an organization can lose its accreditation.
- FISMA (Federal Information Security Management Act of 2002)
Recognizes the connection between economic security and national security. It defines a framework for information security for all systems operated by the US government, or by contractors for the government. It requires that all such systems must be certified and monitored.
- Patriot Act
The biggest impediment to being secure and protecting your data and that of your customers. It allows the US government to search or even physically take virtually any data without a court order.
- 46 States plus DC, Puerto Rico and the US Virgin Islands have breach notification laws. Most are based on California’s, but the restrictions and penalties vary by State. Most, but not all, exempt reporting a breach if the data “stolen” was encrypted. If you are curious, the missing four are Alabama, Kentucky, New Mexico and South Dakota.
And these are just the main ones in the US. There are laws in other countries covering the same categories. Privacy laws in Europe, for example, are different from the US privacy laws in some very important areas. Individual countries (like German, Switzerland and the UK) and sometimes smaller jurisdictions (like German States) have their own privacy laws. Most of these are based on the EU Data Protection Directive (DPD) which is labeled as both privacy and human rights legislation.
The EU DPD has seven principles:
- Give notice when data is collected
- Use only for the purpose collected
- Obtain consent before disclosure
- Keep secure from potential abuse
- Must disclose who is collecting
- Subject is allowed access and the ability to correct data
- Hold collectors accountable for these principles
Number 6 is a significant departure from US law. The EU DPD also regulates cross-border transfer, especially outside of the EU, although some of the EU countries have more restrictive rules.
Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) which is closer to the EU DPD than US laws.
Australia has its Privacy Act and Privacy Amendment which contains ten National Privacy Principles. These pretty much cover the same material as the EU DPD. It does have one interesting addition: the subject of the data must give consent to have the data sent to another country.
All of these privacy laws apply to the issuing jurisdiction’s citizens, not the political entity where the data is stored. If your CSP has a data center in Alabama (one of the states currently without a breach notification law), it won’t protect you from violating Nevada law if you have covered information about a person with a legal residence in Nevada. Because the laws are not consistent, if you have a worldwide customer base and are keeping protected information, it is probably impossible to be compliant. It is safest to figure out the most strict set of privacy rules that apply, and strive to follow those.
This variety of privacy requirements can lead to some interesting scenarios. Consider the US law introduced after the terrorist attacks on 9/11 that require all airlines coming into the US to provide PNR (Passenger Name Records) within 15 minutes of takeoff, and that the US Bureau of Customs and Border Protection (part of the Department of Homeland Security, DHS) would archive those PNRs as part of the War on Terror. PNR contains information protected by the EU DPD. The transmission of the data to the US DHS, the retention of that data, and possible future sharing of that data with numerous and unknown organizations violates several of the EU DPD principles. The result is almost comical. The US Department of Commerce created “Safe Harbors” that exploit a loophole in the EU DPD. There are lots of unhappy enforcers, and lots of unhappy privacy advocates.
This is a prime example of Ben Franklin’s quote: “Anyone who trades liberty for security deserves neither liberty nor security”.
The last word:
Compliance is required. Security is optional. The US Secret Service / Verizon RISK Team “2010 Data Breach Report” studied data breaches at hundreds of organizations. Naturally, many of those breaches involved payment card data. 21% of the organizations that had payment card data stolen had passed their most recent PCI-DSS compliance test. Compliance is not enough by itself. Being secure, and protecting your customers and your business, requires constant vigilance.
Make sure you understand your compliance requirements. When you are selecting a CSP, spend the time to make sure the CSP can meet those requirements. Many won’t be able to. A few will tell you they can, but can’t. Be ready to walk away. Ask for references of current customers with the same compliance requirements and talk to them. Make sure they have passed compliance. Ask them if they have had any security problems, although hardly anybody will tell you if they have. At least check the news archives for any stories about them since they went to the Cloud.
Keep your sense of humor.