The ABCs of Cloud Compliance

by Caroline Lowden, director of Internal Audit for Cbeyond

Cloud computing is providing many businesses with a cost-effective, low-maintenance approach to store and maintain customer data.

Eliminating on-site servers frees up resources and money allowing businesses to invest in additional products without hindering their workflow or sacrificing security.

More cloud, more regulation

This increased reliance on the cloud is creating more focus on regulation, as cloud vendors need to demonstrate that their infrastructure is secure. While the specific regulations, and degrees to which businesses must prove due diligence, vary depending on the industry, the changing nature of standards and reporting procedures can create confusion across the IT landscape.

As more companies use cloud providers as data and processing centers, they properly include these providers in their compliance audits. Beyond meeting the requirements needed to operate, regulatory compliance can be a deciding factor for potential customers evaluating cloud providers. With concerns over identity theft and data security lingering, businesses are more likely to select a cloud provider that can demonstrate it has stricter processes and policies in place.

If your business is either currently evaluating cloud providers, or contemplating a move, understanding the latest standards and compliance requirements can be critical to finding the best fit. And, while compliance can be a complex subject, asking a few basic questions can help you understand just how prepared a potential provider is to securely house your data.

What do these letters mean?

HIPAA, PCI/DDS, FISMA … to businesses just starting to grasp regulatory guidelines, these letters can look more like a “Words With Friends” board. To your cloud provider, these letters represent the regulations that form the basis of data security compliance.

The American Institute of Certified Public Accountants (AICPA) has issued several auditing mechanisms to ensure cloud providers are compliant with such regulations.

As with the regulations they incorporate, the dynamics of the AICPA’s reporting tools will change over time. However, companies evaluating the cloud should focus on a few primary reporting tools.

The Statement on Auditing Standards No. 70, better known as SAS 70, provided an auditing standard enabling service organizations to demonstrate they have adequate controls and safeguards in place to host and process customer data. With a SAS70 report, user organizations (and their auditors) could feel comfortable over the portion of controls outsourced to third parties as they relate to financial reporting. However, the resulting reports were often misused by user organizations looking for assurance over non-financial reporting elements, including security criteria.

In 2010, the AICPA introduced the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) to bring financial reporting guidelines and processes up to date. The SSAE 16 report offers a broader description for auditors than required with SAS 70, and requires providers to compose a written assertion about their security systems, controls and objectives. Ultimately, an SSAE 16 audit results in a Service Organization Control 1 (SOC 1) report, summarizing the accuracy of the organization’s statement on its financial reporting measures.

To specifically address criteria for evaluating controls in non-financial areas, the AICPA issues SOC 2 and SOC 3 reports.

These reports summarize IT infrastructure and software-related controls, including security, availability, processing integrity, confidentiality and privacy, and are commonly referred to as Trust Services Principles and Criteria (TSPC).

Cloud providers looking to ensure their facilities and procedures enable client compliance will need a SOC 2 report. Likewise, SOC 2 reports use fixed evaluation criteria that enable potential customers to compare cloud providers’ specified controls. Organizations that display the SOC 3 seal meet all trust services criteria included within their SOC 2 report without exception, allowing auditors to provide an unqualified, or clean, opinion.