Compliance is a significant part of safeguarding a secure business environment in the cloud. In this post, I propose a what is in my opinion likely the best course of action to achieve compliance for small CSPs.
Large Cloud Service Providers
Most of the large CSP work hard to have vigorous security and data protection controls in place, which essentially means they need to uphold certain safety standards in the cloud. As an example, Amazon AWS builds their cloud systems “on top of cloud infrastructure, where compliance responsibilities are shared” (Amazon AWS Cloud Compliance, 2017). Figure 1 reveals the sheer variety of Amazon AWS assurance programs.
Figure 1 – Cloud Compliance – Amazon Web Services (AWS) – (Amazon AWS Cloud Compliance, 2017)
Small Cloud Providers and Cloud Compliance
As we can see illustrated in Figure 1, small CSP does not stand a chance when it comes to acquiring certification depth of large CSPs, such as Amazon. A small CSP must concentrate on running the data center, which consumes most of their time. To implement thousands of security controls across a diverse list of standards and to create enormous compliance documentation would be a huge undertaking for a small CSP. The variety of conformity attestations, laws, regulations and security frameworks is thus out of the reach of most CSP’s, due to affordability associated with obtaining them.
Security and compliance are interchangeable, and that opens up a dilemma for an end customer of a small CSP. Even though I am certain, many of the smaller Cloud Service Providers often do their best to attain at least elementary cloud compliance and certifications; we should still ask: Should the end customer carry the burden of non-compliancy? Moreover, most importantly: Is there anything small CSP can do to achieve a solid compliance in the cloud?
Best Course of Action for a Small CSP
In my opinion, following are some of the ways a small CSP can assure they provide the relatively secure environment and protection of data of their customers.
Obtain the Essential Certifications for your Cloud Model – even a small CSP should always aim to achieve at least general standards and recommendations related to their industry as well as to their government and jurisdiction. But it should be important to choose those that closely relate to their cloud model.
Virtual and Physical Security – A small CSP should always need to ensure that all virtual and physical devices are secure and they need to keep the employee access secured and controlled.
Application Security – This includes securing cloud applications, communication, backups and archives of customer data.
Billing and Credit Card Security – This is often one of the biggest issues. In my opinion, rather than creating a proprietary payment processing platform, a small CSP should likely offload the job of credit card processing to a third party that is compliant with all the security certifications, such as Paypal or Stripe.
Ability to Report a Security Vulnerabilities – This is in my opinion often overlooked part of the day to day business of a small CSP. They are absorbed in supporting infrastructure and sometimes forget about gathering the detailed security feedback. In my opinion, it is more often the end user that the providers themselves who discovered a security vulnerability, so a small CSP should create mechanisms to for their customers to disclose such issues (in a secure way).
While no compliance will assure protection from security issues, it provides confirmation of due diligence on the part of the cloud organization. The compliance is the best way to achieve an overall solid security plan. And it should absolutely be an indispensable part of every cloud organization. The more the CSP puts effort into compliance, the more advantages it can produce. However, sometimes certifications are only used to get a competitive advantage, especially when it comes to small or medium CSPs. I also think that some of the certifications are more just for show than to provide any benefit.
Let’s look at the Amazon AWS list of compliance certifications at https://aws.amazon.com/compliance/
You will find that they are compliant with:
– HIPAA – U.S. Health Insurance Portability and Accountability Act
– National Institute of Standards and Technology (NIST) 800-53 security controls
– PCI DSS – The Payment Card Industry Data Security Standard
– ISO 9001 (global quality standard)
– ISO 27001 (security management standard)
– ISO 27017 (cloud specific)
– ISO 27018 (personal data protection)
One could argue, that for a small CSP, there is no need to go with all these certifications, especially if they cater to a specific sector, such as healthcare for example. In specific targetted markets, there are compliance certifications that may offer benefits of others automatically. When well combined, one or two certifications could be the sufficient and more cost effective way to achieve compliance (as shown in Figure 2).
Figure 2 illustrates a compliance comparison of some of the cloud certifications.
Figure 2 – HiTrustAlliance (2017)
I would like to point you to a white paper: Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 (Hitrustalliance CSF, 2017), which reasons that for the healthcare organization, CSF is likely the best choice, as illustrated in the following diagram (Figure 1).
The question is, why would a small cloud provider spend all the money to get all certifications when a single certification can provide a complete coverage?
Should we use SME CSPs?
In my opinion, going with a small CSP should not be a deterrent at all. Many of the small CSP provide affordable services that large CSP simply cannot offer at the same price point. For a startup business, that must stay lean, using a service from a small CSP is often the best option to lower the cost. One advice for a business that considers going with a small CSP is always to read the SLAs, to make sure they meet the basic security compliance.
We have concentrated on the conformity of small CSPs, but I have to say, that we should always remember, that the security is not associated only with the CSPs. It should also be achieved right at the forefront, at the customer who uses the cloud environment. Why? Well, because even the most secure cloud environment can be unintentionally compromised, or used in an unsecured way.
Amazon AWS Cloud Compliance (2017). Cloud Compliance – Amazon Web Services (AWS). [online] Available at: https://aws.amazon.com/compliance/ [Accessed 23 Jul. 2017].
Yt2u.com. (2017). YT2U.com – Compliance In The Cloud [online] Available at: http://yt2u.com/?v=RsrDh9i9dU0 [Accessed 23 Jul. 2017].
HiTrustAlliance (2017). Why choose the CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001? – FAQs – 1. [online] Available at: http://hitrustalliance.net/frequently-asked/1/en/topic/why-choose-the-csf-over-other-control-frameworks-like-nist-sp-800-53-and-iso-iec-27001 [Accessed 23 Jul. 2017].
DigitalOcean. (2017). DigitalOcean: Cloud computing designed for developers. [online] Available at: https://www.digitalocean.com/security/ [Accessed 23 Jul. 2017].
Hitrustalliance CSF (2017). [online] Available at: https://hitrustalliance.net/documents/csf_rmf_related/CSFComparisonWhitpaper.pdf [Accessed 25 Jul. 2017].