Compliance can be described as a set of established guidelines that all involved parties are expected to abide by.

For instance, when a software programmer develops software or a hardware manufacturer develops a hardware component, they are expected to follow the guidelines and specific standards that have been set by the industry and ensure that their product is in compliance with their respective industry standards.

Post development, the other party is expected to comply with the vendor’s agreement or license. This, in turn, ensures that both involved parties are following industry set regulations and laws.

Different industry sectors have their own industry-specific compliances which they, with their involved parties, are expected to abide by.

International standards ISO/IEC 27001 are created and regulated by ISO (International Organization for Standardization) while IEC (International Electrotechnical Commission) regulates the international standards in the electrotechnology field.

There are some which have been created and are regulated by the government while there are some which are created and regulated by organizations for compliance pertaining to their respective industry.

Becoming and remaining compliant is not as easy as it sounds because of the nature of constantly evolving technologies giving rise to new regulations. Some existing compliance standards include:

SOX of 2002

SOX is short for the Sarbanes-Oxley Act passed by the U.S. congress in 2002. Its purpose is to protect shareholders and the public from accounting errors and fraudulent practices in an enterprise.

The act is administered by the U.S. SEC (Securities and Exchange Commission). One of its provisions dictates that companies concerned should store all business records as part of their IT systems.

The law dictates that these electronic records should be saved for not less than five years. Failure to comply could mean a fine or imprisonment or even both.

Can Spam Act of 2003

Can Spam is an acronym for Controlling the Assault of Non-Solicited Pornography and Marketing Act. The law was introduced on 1st January 2003 and it is formally known as S. 877.

The basic requirements and compliances that businesses are expected to follow include:

  1. A label is to be present if content is adult oriented
  2. Accurate “from” line
  3. Using an accurate and legitimate and return email address
  4. Using Relevant and truthful subject line
  5. The message must have an unsubscribe option
  6. Unsubscription should be processed within ten business days
  7. A legitimate physical address of the publisher or advertiser has to be present
  8. A message cannot be null

The U.S. government has been criticized by many people saying spamming is an international concern and the U.S. may not be able to control or punish those outside its jurisdiction. Can Spam has also been criticized for its name.

HIPAA

HIPAA is short for Health Insurance Portability and Accountability Act of 1996. HIPAA act regulates the provisioning of security and safeguarding of a person’s medical and health related information.

The covered entities expected to abide by HIPAA laws are the health care providers, health care suppliers and services, and the individuals (or group of individuals) who are paying for health care.

The HIPAA Act contains 5 main sections, which are:

Depending on the type of violation, the concerned party may face both fine and imprisonment.

Dodd-Frank Act

The Dodd-Frank act is short for The Dodd-Frank Wall Street Reform and Consumer Protection Act, which was brought into effect by the U.S. government in July 2010.

The purpose of Dodd-Frank is to prevent a major financial crisis. This was done by enforcing transparency and accountability on businesses with a financial regulatory process.

The great recession of 2000 was one of the primary reasons why Dodd-Frank needed to be introduced. Many businesses were highly dependent on the banks, hence the act monitors companies that cannot be allowed to fail to fail as doing so can affect the economy. The act also closely monitors banks.

PCI DSS

PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS was created to secure and optimize payments made via credit card, debit card and cash card by protecting cardholders’ personal information.

PCI DSS was jointly created by four major credit card companies; Visa, MasterCard, Discover and American Express. PCI DSS has six main objectives:

FISMA

FISMA is an acronym for Federal Information Security Management Act introduced by the U.S. government in 2002, as Title III of the E-Government Act of 2002.

The primary purpose of the act is information security. It focuses on protecting government information and systems from natural or man-made disasters.

Compliance Standards in relation to Cloud Computing

Different industries have varying compliance standards, and standards specific to cloud computing include:

  1. Cloud Security Alliance CCM
  2. Control Objectives for Information and related Technology (COBIT)
  3. Criminal Justice Information System Database (CJIS)
  4. DIACAP
  5. European Data Protection Directive 95/46/EC
  6. Family Educational Rights and Privacy Act (FERPA)
  7. Federal Risk and Authorization Management Program (FedRAMP)/ Federal Information Security Management Act (FISMA)
  8. ISO/IEC 27001:2005 Audit and Certification
  9. Federal Information Processing Standard (FIPS)
  10. Gramm-Leach-Bliley Act (GLBA)
  11. HITECH Act
  12. International Traffic & Arms Regulations (ITAR)
  13. Life Sciences GxP Compliance
  14. MTCS Tier 3 Certification
  15. SB-1386
  16. SOC 1, SOC 2, ,and SOC 3,  SSAE 16/ISAE 3402 Attestations (formerly SAS 70)
  17. United Kingdom G-Cloud OFFICIAL Accreditation
  18. SSAE 16
  19. U.S. Commerce Department Safe Harbor Certification:
  20. MPAA

Compliance and Cloud Security

Although there may be a distinct correlation between compliance and cloud security, they still have differentiating factors. For instance, cloud security is not a service a business is obligated to have although its importance cannot be overstated.

Compliance, however, encompasses security itself. Compliances are regulated by governed authorities and privacy and information security remains its prime motive. Depending upon the industry sector an enterprise operates in, becoming and remaining compliant may be highly recommended or mandatory.

Compliance as a service

Similar to other cloud-based services, Compliance as a Service or CaaS also offers a fixed monthly fee subscription-based model. The service ensures that clients are always compliant with all industry regulations and standards.

Compliance requires periodic audits and evaluations to be conducted within an enterprise across all operations and processes and to further ensure that all of them are complying with the regulations relevant to them.

However, it is possible that a company may not have the training and expertise to conduct such audits and the nature of the audit does not allow for any mistakes. Moreover, these services are generally less expensive and they, therefore, help save time and money.

Data Center Location

Compliance audits strictly require information on where the data is located. To rephrase that, auditors need assurance that the assessed party is aware of the physical location as to where their data is stored.

This can pose a problem for public cloud users as it defeats the purpose the service. As of today, cloud vendors providing public cloud services are not necessarily obligated to share the information on their data center location. Conversely, there isn’t any such rule or law which says they can’t.

In a traditional IT infrastructure setup, the data center location is known but this is not the case with cloud computing. Hence it is necessary to put forth this point if a business has a problem with not knowing the data center location.

Access Control

Compliance audits require that a company is able to prove that they have process access controls in place.

Access control refers to the access management that compliance auditors will expect a business to not just have configured and defined but also able to prove with the help of proper documentation

The documentation should be able to show who has access to what, when is it accessed and also show segregation of accesses depending upon the duties, roles and responsibilities and departments.

Data Encryption

A business has to be absolutely sure about the security of its data when using a cloud service, especially since the data will be constantly transferred to and from the cloud.

Compliance requirements also state that data must be encrypted at all times. That includes the data at rest, data in transmission mode and any additional or backup copies. Some compliance standards require the entire disk or drives to be encrypted.

These stringent regulations on data encryption aren’t surprising as the whole purpose of compliance is privacy and the security of data. However, it is also worth noting that data encryption regulations may be different depending upon the region and compliance standard for the industry in question.