As the public cloud becomes mission-critical, business and government applications, many standards bodies and government entities worldwide are issuing stronger security guidance and new standards. Much of this is in the wake of heightened sensitivity over where data resides and who can potentially gain control over it. Though overall stronger security for cloud-specific environments is welcomed, a proliferation of standards will make cloud adoption more complicated from an audit and security perspective and can also lead to a fragmentation of cloud along geographic lines.
State of the Union
In today’s increasingly distributed business environment, a large enterprise or service provider could easily face hundreds of regulations and standards with which they have to adhere to, depending on their type of business and the geographies they serve. This becomes particularly complicated from a cloud perspective where the delineation between which controls the service provider should implement versus the consumer is blurred. Audits become particularly protracted and costly from a cloud consuming organization perspective as auditors look to gain similar levels of assurance as they would in an on-premise environment.
We have recently seen that data residency has come to the forefront as an issue regarding cloud adoption with many governments issuing stronger demands around what data is required to be resident or the conditions for cross-border data transfer. And, if we are not careful, it will quickly give rise to clouds that are established along geographic lines versus clouds that are built upon the functions they serve.
Harmonization versus Unification
The principle behind harmonization is establishing consistent principles across standards and a spirit of dynamic co-operation and respect between issuing standards versus having a single, unified standard. Each standards issuer typically serves the need of a particular geography, vertical or regulating body and their requirements do make for stronger security. However, there is roughly about a 70 percent overlap in many of the types of controls across these standards. Yet, few of the issuing bodies point to this overlap or synergies between them.
Characteristics of Harmonization
To achieve harmonization, the industry must find and cross map the similarities in underlying principles and at the same time identify the divergences or the delta of which does not cross map neatly. Sometimes controls across frameworks don’t neatly map on a 1:1 basis and this is where being able to think more holistically and broadly around the intent of frameworks and regulations and bucketing them accordingly is useful.
Typically we have found that organizations who cross map to a foundational framework such as ISO 27001-2 or similar, have been able to reduce their audit times by up to 40 percent by essentially auditing once, and reporting multiple times against different standards.
Though public cloud introduces some new nuances and areas such as data portability, data residency, supply chain and heightened identity concerns which require different controls versus those for pure enterprise deployment, compliance harmonization --similar to what many organizations have adopted in their enterprise deployments-- will greatly alleviate cloud audit overload.
Efforts to Achieve Harmonization
The Cloud Security Alliance Cloud Controls Matrix is the salient industry example of a cloud-harmonized framework. Since its inception, the cloud controls matrix has expanded to cross-map beyond key industry standards to a number of data privacy regulations and emerging government standards worldwide. The Cloud Security Alliance Privacy Level Agreement also has emerged as a great framework for identifying similar principles across data privacy regulations. Though focused on Europe at this stage, its framework can serve more widely as the basis for a standard data privacy construct for cloud environments.
When the cloud was first conceived back in the 1960’s it was as a giant global Internet network. And, if standards bodies can find ways to foster further industry co-ooperation it is sure to further accelerate the adoption of the cloud.
About the Author: Evelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints to help organizations embrace the cloud securely and ensure data privacy in an agile manner. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn previously co-chaired the CSA Cloud Controls Matrix working group and played an integral role in guiding its development and evolution. Evelyn wsa recently named to CloudNOW's Top 10 Women in Cloud Computing for 2014.