Due diligence processes for cloud computing compliance

Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.

You have a dilemma. The company you work for has decided it will be moving some of its core IT operations to the cloud. As the information security officer, dread builds as you think about all of the confidential and proprietary data moving out of your control. All of the regulatory requirements governing that data start to run through your head. Does your company realize the risk surrounding what they consider a simple cost reduction?

This is the reality most information security professionals face. The cloud computing revolution is upon us. It is impossible to ignore the talk everywhere about potential uses and cost savings for this new style of computing. This new computing model also forces a shift in thinking about information security and privacy, as well as compliance. The policies and procedures that information security used in a client-server computing model need to be reviewed and overhauled. This is a new frontier for computing that comes with a new set of risks and organizations need to be prepared.

The fact to keep in mind is that cloud computing is not an entirely new concept [SEE "Nothing New" below]. The idea of utilizing shared computing resources through a recurring expense model has been around since the dawn of information technology. Cloud computing adds to this model somewhat by including connectivity over the Internet. And for us in the age of Sarbanes-Oxley, HIPAA, and other regulations and industry standards, it comes with compliance challenges. How do you maintain compliance and help your company achieve the cost savings promised by cloud computing? Let's take a look at some of the major regulatory mandates and how companies can implement a cloud-based solution without jeopardizing compliance. 


The HIPAA security rule went into effect in 2005 with the purpose of safeguarding patient privacy through the use of technology, procedures and policies. It can complicate the adoption of cloud computing in healthcare but it is not impossible to adopt cloud solutions while remaining compliant with HIPAA. Cloud computing services must be considered just as any other outsourcing agreement. The key to a successful and compliant implementation of a cloud computing solution begins with a detailed due diligence procedure and risk assessment. This focus on risk assessment and management is the most important factor to consider when evaluating any solution in regards to HIPAA compliance.

The due diligence assessment is critical in determining the risks and mitigation strategies that the cloud computing provider has put in place. This is very important with HIPAA compliance as it contains very strict requirements for the encryption of personal health information. Any exposure of unsecured information requires a breach notification to the patient. Your company will be listed on the U.S. Department of Health & Human Services website if there are 500 or more patients involved and possibly face civil charges of up to $1.5 million. Your state's attorney general also has the right to investigate and enforce HIPAA for these violations if the fine is not enough of a deterrent.

Writing the due diligence requirements for auditing potential cloud service providers can seem daunting. It may not be necessary to reinvent these requirements as a number of them can be satisfied by reviewing an SAS 70 from the cloud provider. A Statement on Auditing Standards No. 70 or SAS 70 is an auditing statement issued by the American Institute of Certified Public Accountants (AICPA) for auditors to review the controls of a third-party service such as a cloud provider. This statement provides an audited, comprehensive list of all of the controls in place at the organization and their impact on financial reporting. There are two types of SAS 70: A Type I report includes the auditor's opinion of the design of the controls while a Type II also includes the auditor's opinion of the operating condition of those controls. The SAS 70 Type II report can provide a solid foundation for any cloud service due diligence process.

HIPAA requires that any third party that needs access to an organization's health care information must sign a business associate agreement. This applies to cloud computing vendors as well. These agreements are simple in scope and should not be the only contractual information security language exchanged between the health care customer and the cloud computing vendor. However, this agreement serves a very important function. The business associate agreement now requires the cloud computing vendor to comply with HIPAA just as any other health care provider. This change was rolled out in the HITECH Act as part of the retooling of HIPAA that occurred with the 2009 American Recovery and Reinvestment Act. This relatively new development allows for a prospective customer to evaluate a cloud service offering using HIPAA regulations as the standard.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) is interesting for its impacts both on the modern economy and information security. The bill was originally authored to give banks the freedom to merge with other non-bank related businesses to form the large conglomerate banks of today. Commercial banks were now allowed to do investment banking as well as commercial banking which set the stage for the financial catastrophe that followed in 2008. The financial privacy sections of GLBA were not the primary impetus for this legislation but have the most impact on the selection of cloud services in the financial industry.

Financial institutions must take reasonable steps to ensure that the cloud services provider is capable of the appropriate safeguards defined in GLBA. The cloud provider must be under a contract similar to the HIPAA business associate agreement. However, this agreement must contain more detail as there are no requirements for the cloud services provider to be covered under GLBA in the same way that a HIPAA business associate would be covered under HIPAA. This agreement needs to include all of the technical security provisions to comply with GLBA as well as assignment of liability and other damages. It must also support the ability of the cloud services provider to honor your customers' requests to opt out of sharing their financial information.

This contract may sound onerous but any competitive cloud services provider will be able to meet or exceed these specifications. Only cloud services providers running data centers in their garages will object to these contract stipulations.

Authentication and managing identities becomes all important in the cloud

"Who are you?" is not just a classic rock song. Authentication is a requirement to comply with all of the major federal regulations such as HIPAA, GLBA, and Sarbanes-Oxley, but can be easily overlooked when companies design their cloud services strategy. The lack of an identity management system can introduce risks and hidden costs, adversely affecting any cloud services implementation and exposing the company to possible loss or litigation. Complexity grows as a company adopts multiple cloud-based solutions where users are required to use different identities to perform their daily work. Identity management in the cloud requires careful planning of both the technology and processes involved.

Provisioning accounts is an important issue with cloud-based services as proprietary company data is now accessible from anywhere. This creates a need for automated, real-time account management and the ability to rapidly de-provision accounts. How long will an ex-employee have access to company data after he or she has been discharged? The account privileges granted through this process need to be granular and support role-based access. They should also be periodically reviewed to verify appropriate permission levels and uncover any outdated accounts.

Federated authentication must be considered with the adoption of cloud-based services. The increasing number of user accounts and passwords will increase complexity and cost if a company utilizes multiple cloud providers. It will be necessary to deploy federated accounts, allowing account synchronization between the systems and simplification for the end user. Security Assertion Markup Language (SAML) is one of the preferred open standards for cross Web service domain authentication. Not all cloud providers support this form of federation, so it must be considered in the due diligence phase.

There is another authentication issue to consider when utilizing cloud-based services: Strong or dual-factor authentication should be an option, depending on the sensitivity of the information or service. The company must consider the ramifications of a compromised account on confidential data stored in the cloud. There have been enough attacks on Gmail accounts for example, that Google now posts a warning if an account has been accessed from China. Google has responded by offering dual-factor authentication for business accounts. Dual-factor authentication is also an option for the popular online video game World of Warcraft. The confidential data of a company is likely worth more than a video game user account, so the level of authentication required for accessing this data should reflect this value.


Sarbanes-Oxley is another law that has implications for information security even though the primary motivations were quite different. Passed in 2002 in the midst of multiple corporate accounting scandals, this law created far-reaching controls and audit requirements for publicly traded companies in order to restore public confidence. Sarbanes-Oxley Act Section 404, "Management assessment of Internal Controls," contains the information pertinent to any business looking to utilize cloud services while maintaining compliance. This section mandates documented processes and controls for any publicly reported corporate financial information. It also requires that the corporate officers personally sign and approve the final reports and verify if there are any deficiencies in these controls. These controls become less visible when these systems are running in the cloud. This requires serious scrutiny of the cloud provider, just like HIPAA and GLBA.

The due diligence process for selecting a cloud service provider for a company covered under Sarbanes-Oxley is somewhat different than HIPAA and GLBA, which are primarily focused on the privacy of customer or patient data. Sarbanes-Oxley is focused on financial reporting processes and accuracy so the due diligence requirements need to change accordingly and account for data providence, data lineage and change control. Data lineage is a difficult task when an application has been converted to a cloud service. The data lineage requirement of Sarbanes-Oxley is simply defined as knowing where your data came from. It is outside of the company's control when using a cloud service so it must be defined as part of the initial contract. The cloud service provider should be able to provide a high-level architectural overview of the application it's hosting. The provider should also be required by contract to have this architecture audited periodically and provide appropriate documentation to assist in the customer's annual financial audits.

Data providence is another consideration that is complicated by utilizing a cloud service. The data providence requirement of Sarbanes-Oxley is the act of verifying the accuracy of the financial data in the application. This may require that the cloud service provider periodically demonstrate its quality control processes. The customer could also be involved in the verification of these processes either through direct data sampling or third-party audit review; either of these two solutions needs to be included in the contract between the company and the provider.

Change control is another important requirement for Sarbanes-Oxley compliance that must be considered when moving to a cloud provider. The cloud vendor needs to be able to produce a detailed log of changes and proposed changes in order to comply with this requirement. This log needs to include the testing plan as well as a fallback plan. This is not just necessary for compliance; the implementation of any untested changes to the cloud environment could cause a failure in the associated business process, which could have serious business ramifications.

A standard approach to Sarbanes-Oxley compliance that can be adapted to cloud services is the application of the COSO and COBIT frameworks. Both of these frameworks contain objectives compatible with Sarbanes-Oxley Section 404 compliance. COSO is a complete match of these requirements while COBIT exceeds them. The requirements of either framework can be restated and applied to a cloud services provider. For example, one of the requirements of COBIT is to "acquire and maintain technology infrastructure." A company could require that a cloud service provider produce an architectural plan and device refresh strategy; this provides some compliance with the data lineage requirement as well as change control. These requirements need to be addressed in the contract directly or as an attachment.

State laws

In addition to federal regulations, there are many state laws that must also be considered by companies looking at moving to the cloud. Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted breach notification laws due to the rampant increase in identity theft. The primary focus of all of these laws is the protection of an individual's data privacy, which is similar to GLBA and HIPAA but far less in depth. All of the laws have subtle differences in the types of data that comprise a breach and the methods of notification and restitution. The main takeaway is that a company will have to specify breach notification requirements that correspond to the location of the data in any contract with a cloud service provider. Companies need to understand which state law has jurisdiction in the case of a data breach.

Some states have adopted even more stringent security requirements, including Arkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah. These laws require businesses to implement "reasonable" security measures and risk management programs. The California Financial Information Privacy Act takes GLBA to the next level with civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence. Massachusetts adopted some of the most stringent information security legislation in the U.S., which also resembles strengthened GLBA requirements. This law requires that a business obtain written certification that a cloud provider has a comprehensive information security program, and take reasonable steps to verify that cloud providers with access to personal information have the capacity to protect that information.

The idea of using shared computing resources to save money has been around for years

With all the buzz about cloud computing, you'd think it was something new, but some of the first cloud computing systems were created long ago.

One of the first early examples of this model was the service bureaus of the 1970s and 1980s. Businesses recognized the value of information technology at the time but could not afford the capital or operating costs required. Businesses commonly collected data for input during the day and paid for a bureau with a mainframe computer system to process all of that data in a nightly batch. Mainframe and terminal technology lent itself very well to this type of shared computing model, just as the Web does today.

The risks were somewhat different than with modern cloud computing. Mainframe systems in those days utilized punch cards for data input. The cards would have data recorded by punch operators during the day and then get transported to a data center for processing at night. This would get particularly interesting during the winter months when the transportation of the cards would be threatened by weather. There have been many stories about IT workers of the time resorting to hundreds of thousands of punch cards because the truck the cards were traveling in rolled over after hitting a bad patch of ice.

European Union

Complicating compliance in the cloud are all the various international privacy laws. Almost every country has its own version of these regulations from Albania to Zimbabwe. One of the advantages of cloud computing is that the cloud service could be located anywhere in the world, but this can be problematic if that cloud service is located in another country. It is vital for companies to realize that data location matters when it comes to legal jurisdiction.

Individual privacy is culturally more important to the countries in the European Union. There are theories that this is the result of World War II and how information was used to persecute individuals of different races, religions and political affiliations. Examples of this cultural importance of privacy can be found in the European Union Data Protection Directive 95/46/EC of 1995. This regulation deserves serious consideration when considering utilizing cloud services from this area of the world. There are two standards defined by the directive for the protection of personal data: The quality standard states that data processed about an individual must be accurate and only collected for specific and legitimate purposes, and the legitimacy standard states that data can only be processed if the owner of the data has given their consent. The directive also defines special protections for certain categories of personal information: It is illegal to process information revealing racial or ethnic origin, political opinions, religious beliefs, union membership or sexual preferences under any circumstance. Also, it provides every person with the right to compensation for damages should their information be breached.

Where the EU Directive differs dramatically from U.S. privacy protections is the way it defines companies as either data controllers or data processors. A data controller is responsible for maintaining "appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access." A data processor can only operate with explicit instruction and a legal contract with the data controller, and must maintain the privacy and security of the information while in its custody but the ultimate responsibility for compliance is on the data controller. Cloud services could fall into either category and customers should utilize a detailed due diligence process to verify the security controls are sufficient for data controllers. Once again, these controls should be stated in the contract with the cloud service provider.

The other issue that organizations in the United States need to account for is that the directive restricts the transfer of personal data to countries that lack equivalent privacy protections. The directive defines the United States as just such a country. This rule can present a challenge when an organization is utilizing a cloud service in one of the EU countries only to find it cannot legally transfer information somewhere else. However, there is a way for an organization to be legally allowed to transfer information outside of the European Union. The U.S. Department of Commerce provides a "Safe Harbor" framework that allows a company to comply with the directive by requiring that an organization self-certify that it has the appropriate privacy protections in place.

All about the contract

There is a lot for a company to consider when moving to cloud-based services. It is vitally important that the company design a due diligence process to verify the security controls of the cloud service provider. The due diligence process must match the level of compliance and risk required for the type of service. For example, there should be much more scrutiny of a cloud-based solution that is housing personal medical information than one that's simply hosting the company website.

The SAS70 can be a good starting point for the due diligence process. The results of the due diligence process and any other required controls must be specified in the contract. This contract is mandated by almost every regulation and is just good common sense. The company should also require periodic audits to verify compliance with the controls stated in the contract. High-risk services that are moved to the cloud may require also require onsite audits by the customer.

Cloud computing is just a modern version of the old idea of shared computing resources. There is no reason to fear the cloud with a solid due diligence process and a contract with specified controls. Cloud computing has different risks but not necessarily more serious risks than internally hosted solutions. The final decision to use cloud services or not should be based on business strategy. It's the role of information security to help steer the business through the cloud to make an informed decision.

About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member
. Send comments on this article to [email protected].

Dig Deeper on Secure SaaS: Cloud application security