Cloud customers, auditors, and providers must consider and understand the following:
- Regulatory implications for using a particular cloud service or provider, giving particular attention to any cross-border or multi-jurisdictional issues when applicable.
- Assignment of compliance responsibilities between the provider and customer, including indirect providers (i.e., the cloud provider of your cloud provider). This includes the concept of compliance inheritance where a provider may have parts of their service certified as compliant which removes this from the audit scope of the customer, but the customer is still responsible for the compliance of everything they build on top of the provider.
- Provider capabilities for demonstrating compliance, including document generation, evidence production, and process compliance, in a timely manner.
Some additional cloud-specific issues to pay particular attention to include:
- The role of provider audits and certifications and how those affect customer audit (or assessment) scope.
- Understanding which features and services of a cloud provider are within the scope of which audits and assessments.
- Managing compliance and audits over time.
- Working with regulators and auditors who may lack experience with cloud computing technology.
- Working with providers who may lack audit and or regulatory compliance experience.
Audits are a key tool for proving (or disproving) compliance. We also use audits and assessments to support non-compliance risk decisions.
Both the cloud provider and customer have responsibilities, ==but the customer is always ultimately responsible for their own compliance==.
Many cloud providers are certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and global/regional regulations like the EU GDPR. These are sometimes referred to as pass-through audits.
- A pass-through audit is a form of compliance inheritance.
With compliance inheritance the cloud provider’s infrastructure is out of scope for a customer’s compliance audit, but everything the customer configures and builds on top of the certified services is still within scope.
RECOMMENDATIONS:
- Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state.
Cloud providers should:
Cloud customers should: