Regulatory Compliance in Cloud Computing


As companies dive deeper into the cloud to leverage the benefits of re-engineering their technology stack to take advantage of its elasticity, scalability and effectiveness as well as its usage-based pricing models, a new skill set to deploy the infrastructure as code, and doing this with security in mind will be an absolute necessity for protecting data and also meeting compliance requirements. With this trend continually escalating, there is a burden on Cloud Service Providers to demonstrate a high level of security and compliance expertise in a regulated environment, writes Adedayo Adejobi

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Choosing to upload your data to the cloud is, for the most part, a moot point; the advantages of mobility, scalability and convenience have proven that cloud platforms are a necessary and vital tool for the advancement of modern-day industry. However, some issues are still a challenge for the online world, including that of regulatory compliance and protecting sensitive data.

Many times, businesses focus so much on the technological aspect of incorporating a cloud platform into their business management strategy that regulatory compliance gets set somewhere in the background. After all, setting up a cloud, synchronising data and then training employees on how to use this database is a monumental task.

Add to the mix, the complexities of the law and your once brilliant idea of updating your company quickly becomes overwhelming and expensive. Nonetheless, those companies, clients and employees who have sensitive data stored in the cloud are the ones who will benefit from the safeguards of the law.

Features such as elasticity, scalability, universal access, low entry cost, and flexible billing motivate consumers to migrate their core businesses to the cloud. However, in doing so there are challenges about security, privacy, and compliance. Businesses are pressured to comply with regulations depending on their service types. But for work on compliance issue, the lack of reference architectures and relevant patterns makes compliance harder than it should be.

In the last few years, the use of cloud services has become widespread. According to International Data Corporation (IDC), public spending on cloud services reached $107 billion billing in 2017.

Despite the increase in demand and popularity, there are major challenges in moving a business to the cloud, such as compliance, security, and privacy. There are many works considering security and privacy in clouds but we are concerned here only with compliance aspects, which have strong relation to those attributes; in fact, there are relatively few works dealing mostly with compliance aspects.

Regulations are sets of policies that govern the use of sensitive business data. The main intents of these regulations are to protect consumer privacy and provide security by enforcing attributes such as confidentiality, integrity, availability, and accountability (CIAA). Compliance implies enforcing the rules that implement the policies defined in the regulations. The cost of not being compliant may result in penalty fees, lawsuits, and bad business reputation.

The world over, regulations are often verbose, hard to read, redundant, ambiguous, and in some cases, inconsistent. Even though these documents are indeed intended for lawyers and not software developers, in the case of Nigeria, there is none to examine in detail.

Often, compliance and security are only addressed either at the testing phase or at the last stage of development, which could potentially result in applications that do not identify potential threats, as in the case of cloud computing.

As the situation stands, there are huge possibilities of identifying overlaps and patterns, inconsistencies as well as security threats in the era of cloud computing. It is worthy of note that there is little or no knowledge on privacy and security regulations. These commonalities are important in complying with multiple regulations and for understanding regulations in general.

Most businesses use independent third-party certifying agencies and internal IT auditors to assure compliance, security, and privacy. In addition, government agencies in Nigeria that support cloud computing must fulfill the Federal Risk and Authorization Management Programme (FedRAMP), as is the statutory procedure worldwide. To begin with, Nigeria must identify and publish certified cloud service providers and Third Party Assessment Organisations (3PAOs) that can be used as a reference for any cloud service providers and consumers. Service providers such as Jumia, Konga, IBM, Microsoft, Oracle, HP and others claim compliance by certifying their cloud services with 3PAOs.

There is the need for some industrial compliance efforts with a view to providing significant issues and guidance about how cloud architecture should be territorialised.

Compliance is one of the main reasons why many organisations hesitate to fully engage in a cloud-first strategy. However, a clear understanding of how compliance can be achieved in the cloud enables companies to capitalise on the business agility and growth that the public cloud provides. With a complete understanding of how compliance can be attained in the public cloud, even the most heterogeneous organisation can operate in an ever-changing regulatory environment.

The questions yet unanswered are, does the cloud services come with installed and maintained firewall configuration to protect data against ethical and unethical hackers? What are the security parameters? Is sensitive information transmitted across public network encrypted? How often are the applications on the cloud updated? How safe and secure is the cloud system? Who do you hold accountable for an insecure interface, data loss or leakage, account or service hijacking, or breach in information maintenance, abuse and nefarious use of cloud computing – threats related to abusing cloud network and services by using Denial of Service (DoS), malicious file upload, and malware? How do you define what is a threat and a vulnerability?

There are still many uncertainties with respect to compliance and privacy in cloud computing. As a result, it is becoming very difficult to analyse security, privacy and compliance among cloud service providers.

It is virtually impossible to not talk about security when addressing compliance requirements, since the controls necessary to achieve compliance are often implemented under the auspices of security. That said, there are primary security challenges that affect the success of compliance on-premises or in the cloud that organisations should be aware of:

When it comes to operations, inconsistency equates to inefficiency. Whether you are manufacturing, importing, retailing, or providing a service, the more you standardise basic operations, the better. As organisations move to the cloud, the effective operational security and compliance functions that existed on-premises must be applied to respective cloud services. From a compliance perspective, the more an organisation drives consistency of operation, the easier it is to respond to audit requests and enforce security.

Data cyber threats represent a relentless source of sophisticated exploits and zero-day attacks aimed at getting your organization’s information. Threat actors use a mix of methods to compromise systems and infrastructure for political and financial gain, while other, less sophisticated attackers are looking to make a quick score and move on to the next victim. With an increasingly mobile workforce, it has become easier to attack organisations when their edge systems are attached to insecure networks outside their sphere of control. One of the most common attack vectors is ransomware, which has become a $1 billion-a-year industry, according to recent studies.

Historically, it was simple to know where data lived: in the data centre. That’s no longer true. With the proliferation of mobile devices—now defined as edge computing—and the increasing use of cloud-based applications and services, critical corporate information is more dispersed than ever. With additional regulatory requirements involving global data residency, getting a single view of your data is more challenging than ever.

Many organisations make the mistake of assuming that once data is sent to the cloud, all security responsibility shifts entirely to the cloud provider. This is simply not the case. Responsibility for data security and compliance in the cloud is shared between multiple parties. It is true that the higher up the “cloud stack” an organisation buys into, the more security compliance functionality is built in.

According to a compliance expert, Managing Director, DataPro Limited, Abimbola Adeseyoju, in the case of a SaaS, a method of software delivery and licensing in which software is accessed online via subscription, rather than bought and installed on individual computers, for instance, that vendor will offer a variety of additional security and compliance features built on top of the security of the infrastructure and platform providers.

“However, in this shared-responsibility framework, it is still up to the customer to implement and use those security and compliance features to ensure that its existing on-premises security policies extend to the cloud. While compliance audits are great from a scrutiny perspective, they also allow organisations to measure fourth-party risk. Consumers of cloud services should also expect their primary providers to adhere to general and industry-specific compliance frameworks, audits, and attestations,” he said.

“As customers evaluate cloud service providers, it is important to understand and distinguish the various demarcations as to who is responsible for securing which part of the cloud. An easy way to think about it is as follows: Customers, SaaS and Cloud service providers are also responsible for implementing security in the cloud application,” he added.

With a shift in organisational mind-set for customers who operate traditional, on-premises environments, where they are responsible for all security aspects and as organisations consider and evaluate various cloud service offerings, it is essential to understand the delineations of shared responsibility in the cloud.

The bottom line of compliance is security. In a survey conducted by technology research company Clutch, they found that, “migrating to the Cloud encourages companies to engage in better security practices overall. The additional security measure enterprises implement the most is data encryption (60 per cent), followed by identity access policies (52 per cent) and regular audits (48 per cent). To implement additional cloud security, more than half of enterprises (59 per cent) spend between $10,000 and $500,000.”

If this task seems like a project, newcomers are not prepared to tackle, they may want to consider the newer roles of corporate, chief, or regulatory compliance officers for hire whose sole focus is to monitor adherence to the law. If this seems beyond their budget, there are also consultants available that can help them identify and address the laws that apply to their company.

Compliance in the cloud is a shared responsibility among service providers and consumers. The responsibility of service providers and consumers vary, based on the type of their service models. In general, the lack of full control and transparency creates compliance challenges in the cloud.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x