Take a few minutes to browse through the compliance sites for six of the largest cloud infrastructure providers:
- Alibaba: Alibaba Cloud Security & Compliance Center for Cloud Computing Infrastructure,
- Amazon: Compliance Programs – Amazon Web Services,
- Google: Cloud Compliance – Regulations & Certifications,
- IBM: IBM Cloud Compliance Programs,
- Microsoft: Compliance in the trusted cloud, and
- Oracle: Oracle Cloud Compliance.
The vendors intend these sites as signals that their computing infrastructure is secure, complies with specified standards, and is worthy of your trust. In support of that goal, they provide pages that display long lists of acronyms (e.g., GDPR, FedRAMP), sometimes accompanied by various numbers and/or descriptors (e.g., ISO 27001:2013, SOC 2 Type II).
However, the significance of the listed terms varies. Some of the terms indicate compliance with international standards, while others are relevant only to companies in a specific sector, such as healthcare or finance. And the compliance lists display no distinction between certifications that require rigorous review by an outside auditor and certifications claimed by the company without any external examination.
Here’s a short guide to help you identify the compliance certifications most relevant to your cloud buying decisions.
1. Prioritize Externally Audited Certifications
The AICPA (American Institute of Certified Public Accountants) devised System and Organization Controls (SOC) reports to help service organizations assess internal controls. In the cloud computing world, vendors who successfully complete an external audit typically indicate this publicly. For cloud computing vendors, the most relevant report is SOC 2 Type II, which is an audit intended to test that not only are internal controls related to privacy, security, data processing integrity, and confidentiality security in place but also that these controls work. Notably, other SOC reports are SOC 1, which relates to financial controls, and SOC 3, which is not as detailed as SOC 2 and is intended for general use. If you’re in the U.S. and considering the services of a cloud vendor, look for the vendor’s SOC 2 Type II report. (For more about SOC 2 Type II from a vendor perspective, see “Now it is official — Torii is SOC 2 Type II compliant!”)
2. Check the Details
Global security standards, such as those defined by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) cover how organizations manage the security of information processing systems. For example, ISO/IEC 27001 focuses on information security management. Vendors that have received ISO/IEC 27001 certification typically provide web-based access to the certification, which indicates not only the certifying organization but also the certification issue date and expiration date. (For an example, see one of IBM’s many Cloud Infrastructure as a Service documents.)
3. Seek Sector-Specific Certifications
The nature of your business may affect compliance criteria. If you need a cloud vendor to process credit card payments, make sure they comply with PCI DSS (Payment Card Industry Data Security Standards) requirements. Again, as with other standards, self-asserted compliance should be less persuasive than compliance validated by an external third-party.
More narrowly, if you’re a government agency, look for cloud vendors that tout compliance with federal data system standards, such as FedRAMP (Federal Risk and Authorization Management Program) and FISMA (Federal Information Security Management Act). And if you’re not part of a government agency, why might these certifications matter to you? They’re a signal that the vendor seeks to serve the U.S. federal government, which indicates both a certain scale and ability to comply with federal I.T. security concerns.
4. Compliance May Require you to Act
A vendor’s ability to comply sometimes works in conjunction with your own actions. For example, a cloud vendor in the healthcare sector might indicate that they are “HIPAA (Health Insurance Portability and Accountability Act) compliant”. However, in many cases, you — as the customer — may need to go through formal processes to sign a business associates agreement on behalf of your organization with the vendor. Additionally, you may need to adjust administrative or security settings in order to fully comply with the agreement. For example, Microsoft offers to sign such agreements with customers for their respective office suites but also identifies several actions that administrators and employees need to take and practice.
On a much broader level, compliance with something as complex as the European Union’s GDPR (General Data Protection Regulation) requires an entire set of system capabilities combined with organizational practices. Cloud vendors tend to respond by offering resource-laden sites that cover a wide range of certifications and practices, such as the wide range of articles and links offered by Amazon Web Services’ GDPR Center.
Similarly, educators and school IT leaders who select cloud vendors that are COPPA (Children’s Online Privacy Protection Act) compliant may also need to take steps to obtain parental consent on behalf of students who are less than 13 years old. G Suite for Education, for example, may be used by younger students, however school administrators must adjust settings and ensure appropriate parental agreements are in place.
5. Certifications and Compliance Don’t Cover Everything
Compliance and certifications serve as an indicator of a vendor’s maturity and scale. The greater the number of customers a vendor serves, the larger the vendor tends to be — and the more capable the organization becomes at complying with external requirements.
Compliance doesn’t guarantee uptime, security, or perfection. Disasters can happen, security holes may be found, and bugs will certainly still exist. Organizations that have an emphasis on well-documented processes and rigorous response procedures — both of which are key parts of many compliance efforts! — will be better prepared to fix flaws quickly than organizations that fail to pay attention to these fundamental procedures and practices.