Cloud

Cloud Computing Regulations

WooCommerce

alex-machado-435966-unsplash.jpg  

William Donaldson, Mickelly Audam, Tyler Dodds, David Donato Jr.
 
 
Cloud computing is a rising star in the tech world, as it offers a wide range of uses and advantages over standard Internet networks. With the Internet of Things (IoT) growing every day, a flexible and scalable network is needed to connect us all. There are multiple versions, models, and methods of Cloud implementation, all of which meet and provide specific requirements based on the customer’s or user’s needs.
Understanding what you require from the Cloud aids in the decision of deciding if using Cloud computing is right for you as well as which variation of the Cloud one wishes to adopt. While Cloud computing is an advanced and helpful technology, it does have numerous risks and regulations involved. There are a large number of laws and regulations that govern Cloud usage and understanding what they are and how they apply to Cloud computing is necessary for creating and maintaining a useful Cloud.
 
Cloud computing entails the delivery of hosted services over the Internet. It offers companies the ability to consume compute resources through a third-party, rather than purchasing and maintaining on-site hardware. Cloud computing provides their services through several models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Security as a Service (SECaaS), and Mobile Backend as a Service (MBaaS). Software as a Service (SaaS), permits the user to use their provider’s applications running on a cloud.
These applications are accessible through numerous client devices such as a web browser. The provider controls and manages the cloud infrastructure which includes servers, operating systems, and storage. SaaS is often referred to as “on-demand software.” Platform as a Service (PaaS) uses programming languages, services, and libraries provided by the provider to deploy into the cloud infrastructure consumer applications. The user only has control over the deployed applications. This model offers a development environment using a toolkit and channels for payment and distribution.
 
Infrastructure as a Service (IaaS), the next model, is the most basic cloud-service model. It offers computing infrastructure such as virtual machines to its subscribers. These resources are provided by data centers. For larger-area connectivity, customers can use the Internet or carrier clouds. The cloud user maintains the operating system as well as the application software. Additionally, Security as a Service (SECaaS) is a business model where a large provider combines their security services into a corporate infrastructure on a subscription basis. It is more cost effective than most other options. Security is delivered as a service via the cloud.
Some of the various security services offered are anti-virus, anti-malware, and intrusion detection. Finally, by using a Mobile Backend as a Service (MBaaS), developers are given a way to link their applications to the cloud with application programming interfaces (APIs). These services include push notifications, user management, and social network integration. There are also various deployment models of cloud computing such as private, where the cloud infrastructure operates for a single organization, public, where services are available for the public, community, where information is shared between a specific community, and hybrid, where the cloud is a combination of 2 or more of the previously mentioned cloud deployment models.
 
Implementing cloud computing offers many benefits for any size company. One of the most significant strengths is increased efficiency since services can be quickly deployed. This reduces the time it takes to perform normal daily operations by a significant amount, freeing up valuable resources and personnel. Cloud computing also offers enhanced agility when it comes to IT related projects; results are made faster and are of a higher quality. Cloud storage also enables a company to adapt to new business models, as well as strengthen existing ones. Having data stored in the cloud eliminates the need for a large number of storage devices on-site. This reduces electricity consumption, lessens the requirement for cooling, and the need for IT professionals to install and monitor those devices is gone.
Scalability is another area that excels with cloud computing. When a company requires more data storage, instead of purchasing new storage devices, they can only increase their available resources with their cloud provider. Security is an additional crucial area of cloud computing. While having sensitive data on the cloud can seem risky, virtual private clouds, encryption, and API keys help safeguard the data. Finally, having your company’s network accessible on the cloud enables employees and customers to access what they need from practically any Internet-connected device. Cloud computing is a rising star in the business world, and the years to come you will see why it is a good idea to switch to cloud computing as soon as possible.
 
Cloud computing is growing in popularity and technological power as businesses are frantically trying to make the switch. Someday soon, not having Cloud computing will be as odd as not having any type of Internet. The world as we know it is changing dramatically, offering a wide range of new technologies as the IoT grows. To connect us all, Cloud computing is up to the challenge. However, the Cloud can be confusing and difficult for many. By understanding the risks involved and by following the regulations previously mentioned, one can be a step ahead of the competition and be ready to make the switch to Cloud computing as quick and seamless and possible.
 
Just like any network, there are numerous laws involved in protecting and sharing sensitive information. Having this data accessible in the Cloud and not on-premise can cause potential problems. Knowledge is power, and in Cloud computing, being aware of what it is, what it can do, and more importantly, how to protect the data involved as well as comply with the various laws and regulations is necessary to evolving one’s network into the Cloud network of tomorrow.
 
The growth of cloud computing and contractual issues
Many factors have contributed to the growth of cloud computing. It is a concept that has been shaping for many years now
 
Some of the factors impacting its growth:
Moore’s Law: Every two years the cost of a unit of processing power in a computer system will be reduced by half
 
Globalization 2.0: This first started with the dot-com era; then to the evolution of the web and its commercialization; then finally to the omnipresence of technology and available devices
The growth of cloud computing and contractual issues
iii. Globalization 3.0: This phase of globalization include advancements in technology; speed of broadband; evolution and ease of outsourcing
 
During the last 50 years or so, we mainly dealt with mainframe computing, then we moved to the client-server model, then to the web with the evolution of the Internet
 
Today there is a significant emphasis placed on virtualization and the cloud. Which ensures improved usage of resources, flexibility, and economic growth
 
 
The growth of cloud computing and contractual issues
Contracts usually encompass several aspects and most importantly the scope of cloud services
This is often outlined in a contractual document and including some of the most common service scopes such as:
Service Level Agreement
Cloud support Policy
Termination Policy
Disaster recovery and business continuity
Security and privacy
 
The growth of cloud computing and contractual issues
One common concern in cloud adoption is the cloud provider’s use of data
It should be strictly for monitoring and administration of cloud services and aimed at the resolution of cloud-related issues
 
It should be for reports related to statistical data associated with performance and overall cloud operations, aimed at optimizing customer’s use of cloud services
 
It must not divulge intrinsic information pertaining to customer’s identity or production data pertaining to any consumer
Third party involvement and ownership of intellectual property
Cloud providers generally own every facet of the cloud. However, customers generally own what it provides to the cloud such as applications developed in cloud infrastructures; or customer provided data
 
The third party may have ownership of data and other components in the cloud such as Social media; medical and health; real estate; and financial data among others
 
Third-party data and components in the cloud may require separate licensing agreements
 
           
Due diligence, responsibility, security, and privacy in the cloud
Whether the data resides on-premise or in the cloud, it is still the consumer’s data
 
Given this notion, responsibility, security, and privacy obligations cannot be shifted to a cloud provider because they hold the data
 
Consumers must conduct the necessary due diligence when selecting a cloud provider
They must also ensure that contractual clauses reflect appropriate security standards
They must acquire audit information and other vital data that ensures that cloud providers are on-par with security standards
Due diligence, responsibility, security, and privacy in the cloud
Contractual agreements must also outline the security obligations and the scope of each party
 
All cloud providers ought to be in alignment with security standards such as ISO/IEC 27002
 
Both consumer and provider must agree on security agreements when it comes to aspects such as Physical vs. logical controls; encryption and data masking; access control; intrusion and network security; disaster recovery and business continuity; audits; use of subcontractors to handle the data
 
 
Due diligence, responsibility, security, and privacy in the cloud
Consumers must decide on which data they are ready to share with a cloud provider
 
When we think about the nature of the data to entrust, they can all be critical in nature: Business confidential documents; financial data; personal consumer or medial data, etc.
 
Some of the laws that had been enacted to address consumer security and privacy concerns: Health Insurance Portability & Accountability Act of 1996 (42 USC §1320-d); Gramm-Leach-Bliley Act (15 USC §6801-6809); COPAA (15 USC §6501-6506); FTC Section 5 (15 USC §45)
 
Due diligence, responsibility, security, and privacy in the cloud
In short, some of the common points to remember in the due diligence checklist:
General terms of the cloud service, e.g., service uptime, initial fee for setup, whether there is a storage limit or bandwidth cap on cloud services, extra fees, etc..
Geolocation e.g. data center locations, redundant facilities etc..
Data backup and recovery, e.g., can data be easily restored from the cloud provider? Can a local backup also be considered? The format that the data will be in on the cloud?
Security, e.g., can the cloud provider meet security standard requirements?
           
Due diligence, responsibility, security, and privacy in the cloud
IV. (cont.) Ensure that the cloud provider employs encryption for data at rest and in transit(client-server communication, data replication to other data centers, etc..)
V. Ensure that the cloud provider is subjected to periodic audits and inquire about the results or certification of compliance
VI. Ensure that the provider can withstand robust penetration testing mechanisms and other infiltration techniques
 
VIII. Discuss policies pertaining to eventual data breaches should they occur
FedRAMP
FedRAMP is short for Federal Risk and Authorization Management Program which is a U.S. government program that provides a standard approach to security assessments, authorization and monitoring of cloud services and products.
 
The governing bodies of FedRAMP entail the following entities
Office of Management and Budget (OMB)
U.S. General Services Administration (GSA)
U.S. Department of Homeland Security (DHS)
U.S. Department of Defense (DOD)
National Institutes of Standards & Technology (NIST)
Federal CIO Council.
FedRAMP
FedRAMP is a mandatory program for US federal agencies
This is important because it ensures:
A great deal of transparency between government agencies and cloud service providers
Automation in day-to-day operations and service monitoring
Proper adoption of secure cloud solutions
Confidence and consistency in security provided through cloud solutions
Potential Cloud Risks- Loss or Theft of Data
Cloud services that companies pay for is a shared service
Many companies utilize the same hardware
Unencrypted data on the cloud is vulnerable
Hackers
Apple iCloud Scandal
Improper disposal of hard drives by the cloud provider
Transmission between cloud datacenter and business servers
 
Protecting Against Loss or Theft
Encryption
Encrypting data is easy and incredibly secure
Does not take additional cloud resources
Required for certain cloud regulations
VPN between cloud service provider and client site
Required by Microsoft Azure Cloud Services
Ensures traffic is secure from site to site
 
Compliance Violations
State, Federal, and Company Regulations
Certain business areas require special cloud regulations
Healthcare Industry – HIPAA
Violations can include penalties over $1,000,000 in a calendar year
Does extend to cloud provider under “business associate” definition
Investigations and Audits will be performed regularly
 
Ensuring Compliance
Data Encryption in the cloud
Access policies to information
Self-Auditing at regular intervals
Creation of compliance officer positions
 
Loss of End User Action
Vendor Lock
Stuck with one company that can enforce whatever measures they want
Cloud companies that provide a unique service are in control
Clients do not have a way to escape contracts because they are so dependent
 
Avoiding Loss of Control
Use multiple cloud vendors if at all possible
Do not move critical processes to the cloud
Only move what is needed to the cloud
Utilize cloud consolation companies
Migrate to a different vendor if necessary/possible
 
Malware in the Cloud
Malware can be a dangerous element when exposed to the cloud
An infected file downloaded from the cloud can infect a huge range of users
Dropbox and Google Drive malware attacks
Infected files uploaded to a private cloud can have the same effect
Could infect entire enterprise over time
 
Fighting Malware in the Cloud
Educate end users on viruses and malware
Have antivirus installed on every system
Have a good firewall in place
Do not download untrusted or 3rd party files without verification
 
Contract Breaches
Contractual breaches on either end are a serious issue
The customer has to keep their infrastructure maintained per vendor specification
The vendor must keep the promise of uptime
Generally in the 99.99% range or higher
The contractual breach may lead to compensation if the vendor is at fault
 
Cloud Security
Both Cloud Vendor and client are responsible for the security of data
The vendor covers network security and hardware security if they handle the infrastructure
Client covers data security on the servers
Encryption
 
Cloud Security
Both Cloud Vendor and client are responsible for the security of data
The vendor covers network security and hardware security if they handle the infrastructure
Client covers data security on the servers
Encryption
 
Cloud Security
Both Cloud Vendor and client are responsible for the security of data
The vendor covers network security and hardware security if they handle the infrastructure
Client covers data security on the servers
Encryption
 
Data Breach
Huge risk in modern day society
Data breaches occur near weekly
Security is handled by both vendor and client
Encryption specifically handled by the client
Customers whose data is breached need to be notified immediately
Risk of fines due to failure to protect sensitive data
Both Vendor and Client could be fined
 
Revenue Losses
High cloud usage could lead to higher costs
Vendor lock could lead to higher cloud pricing
Low revenue combined with high cloud cost leads to loss of revenue
Dangerous if there is no local infrastructure to fall back on
Scale back unused cloud resources you pay for if possible
Consider migrating cloud vendors if necessary/possible
 
Sector Specific Laws and Regulations- HIPAA
Health Insurance Portability and Accountability Act
Cloud vendor is considered a business associate
Can be fined just like client if HIPAA regulations are breached
Cloud Vendor must be listed as HIPAA compliant if ePHI is stored
Service and Business agreements must be in place
 
HIPAA Usage
Data that is defined under HIPAA should not be disclosed or sent to anyone unless permitted by the person who owns the data
Patient at a hospital or doctor’s office
HIPAA information should be encrypted at all times in the cloud
Data should only be moved through a secure VPN tunnel
 
Gramm-Leach-Bliley Act
Personal financial information must be securely stored
People must be advised on the sharing of their financial information
Opt-out must be provided for the sharing of financial information
Similar to HIPAA compliance, information must be securely stored at all times when it is electronic
Encryption
Gramm-Leach-Bliley
Cloud providers can be GLB Act compliant
Administrative, Physical, and Technical security
It would be an effort of both the cloud vendor and their client storing data to keep data secure
VPN tunneling and encryption a must
Self-managed encryption keys may be an additional security measure
 
Payment Card Industry Standard
Security standard for protecting payment card information on the web
Applies to card information that is stored in the cloud
List of requirements provided by the PCI Security Council to be compliant
Audits
Fines and punishment for non-compliance
 
PCI Compliance
Some responsibilities lie with the Cloud Vendor, some with the client, and some are shared responsibilities
Depends on the cloud infrastructure used
Make sure SLAs define that Cloud Vendor will work to upkeep their end of the compliance
Steps to compliance should be stated up front
 
PCI DSS Requirement
Family Education Rights and Privacy Act
Does allow the usage of Cloud environments to store electronic information relating to students
The school must maintain direct control over any records stored
Vendors and others cannot access under any circumstance
Encryption with the school keeping control of encryption keys
Vendors must do their part to keep the cloud network secure
The client must be able to get back all data if the cloud contract ends or the vendor goes out of business
 
References
 
(n.d.) FedRAMP Compliance. Retrieved from https://aws.amazon.com/compliance/fedramp/
Blaisdell, Rick. (2012).  Laws and Regulations Governing the Cloud Computing Environment. Retrieved from  https://www.rickscloud.com/laws-and-regulations-governing-the-cloud-computing-environment/.
Trappler, Thomas J. (2013). Regulations and the cloud: HIPAA modification provides clarity. Retrieved from https://www.computerworld.com/article/2494942/cloud-computing/regulations-and-the-cloud–hipaa-modification-provides-clarity.html.
Coles, Cameron. (n.d.). 9 Cloud Computing Security Risks Every Company Faces. Retrieved from https://www.skyhighnetworks.com/cloud-security-blog/9-cloud-computing-security-risks-every-company-faces/.
Angeles, Sara. (2013). 8 Reasons to Fear Cloud Computing. Retrieved from http://www.businessnewsdaily.com/5215-dangers-cloud-computing.html.
Winker, Vic. (2011). Cloud Computing: Risk Assessment for the Cloud. Retrieved from https://technet.microsoft.com/en-us/library/hh750397.aspx.
 
 
 

 

Advertisements
Jetpack

Categories: Cloud, Networks

Tagged as:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.