Compliance & Security

IN THE CLOUD

Buyers Guide Ebook

T

INTRO

“Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost...”

he reach of industry and government compliance requirements is long and getting longer. Every organization

and enterprise with at least one paid employee has personal information that it’s legally responsible for protecting. After that, compliance and data security just keep getting more complex and costly.

In addition to compliance, there’s a host of other reasons to protect data as more business operations move online, including the needs specific to different types of data such as intellectual property, market strategies, trade secrets, and material financial information, for example.

Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost ... money and resources that must be diverted from the core purpose of the entity. Having a compliant

environment does not ensure security, however. And a secure environment is not necessarily a compliant one. Both are necessary, but sometimes at odds with each other in terms of priorities and budgets.

While it’s not possible to shed accountability for regulatory compliance, achieving it can be far simpler and efficient by outsourcing to the cloud. Similarly, maintaining a secure infrastructure can be easier and more effective. The right partner can help address both compliance and security. This guide will help

you evaluate and select that partner.

S

“Audits are conducted annually by independent inspectors. ”

-SOC IT TO ME-

ome infrastructure and cloud service providers (CSPs) will say they have secure infrastructures. Others will

say theirs are compliant with various industry and agency regulations such as PCI-DSS, HIPAA or Sarbanes-Oxley. Some will claim both. The standards that best indicate that a CSP has what it claims to have, does what it claims to do, and has defined control policies and procedures in place are SSAE 16, ISAE 3402 and AT-101.

An attestation standard of the American Institute of Certified Public Accountants (AICPA), SSAE 16, along with AT Section 101, form the underlying platform and professional standards upon which the new AICPA SOC reporting framework is built. The framework consists of SOC 1, SOC 2 and SOC 3 reports.

Service Organization Control (SOC) 3 reports, the newest of the standards, attest to the CSPs adherence to the AICPA’s and Canadian Institute of Chartered Accountants’ Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality and Privacy.

Audits are conducted annually by independent inspectors. Ask prospective CSPs to share these and all other audit report results with you during the evaluation process.

Some CSPs will go the extra mile by having their data center(s) independently commissioned prior to opening by a quality assurance and mission-critical engineering team. This days-long process involves an investigation of all aspects of live operation, including equipment, physical infrastructure, operational procedures and much more. The qualification regime applies key standards for mission-critical data center facilities including ANSI/TIA-942 and other standards established by the Uptime Institute, ASHRAE,

NFPA and critical infrastructure manufacturers.

SOC 1 SOC 2 SOC 3

01

ollowing their annual assessment for meeting the Payment Card Industry (PCI) Data Security Standard (DSS),

88.9 percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance. A PCI-DSS compliant CSP can help do a better job to not only maintain compliance with the standard, avoiding costly penalties, but to also protect valuable cardholder data, avoiding costly breaches.

Compliance requires meeting 12 data security requirements ranging from system and

application security to firewall management, organized under six functional areas. All processes and components under the CSP’s control must be PCI-DSS compliant, with an accompanying report on compliance from an independent auditor available for your inspection.

Level 1 certification indicates that the CSP’s systems and infrastructure can scale to meet the requirements of customers that exceed six million transactions per year and that the CSP is subject to an annual onsite inspection by an independent qualified data security expert. Also, determine what the CSP’s own inspection and maintenance policies and processes are above and beyond those required by regulation. Is the provider audit-ready at a moment’s notice?

Look to see if the CSP is on the approved service provider list maintained by major card brands; each bank card’s website has

the approved provider list.

F

-SLIPPING IN AND OUT OF PCI COMPLIANCE-

“.. . 88.9% percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance.”

02

H

-CSPS SHARE HIPAA RESPONSIBILITY-

ealth care professionals should be wary of overreliance on claims from CSPs that they are “certified” or

otherwise “compliant” with the Health Insurance Portability and Accountability Act (HIPAA), as there is no officially recognized CSP certification. The AT-101 annual audit report mentioned earlier does include a section on healthcare information privacy controls for data center operations, however.

Still, the right CSP – one with a history and demonstrated commitment to industry regulatory compliance requirements (SSAE 16 and PCI-DSS, for example), and familiarity with the obligations of “business associates” as defined under HIPAA and the Omnibus Final Rule – can be a reliable partner in helping achieve and maintain HIPAA compliance. It is also likely to be more cost effective than going it alone. Here’s what to look for in HIPAA compliance in the cloud:

The CSP cloud infrastructure should be architected to facilitate compliance

specifically in regard to the HIPAA Security Rule. A non-exhaustive list includes multiple layers of security protection for electronic protected health information (ePHI); access control limits and monitoring of ePHI; firewall and router configurations consistent with HIPAA compliance specifications; and adherence to industry best practices for installation, configuration and patch installation of managed servers and associated network devices. In essence, meeting Security Rule requirements constitutes HIPAA-compliant services from CSPs.

The CSP’s cloud services should be flexible enough to adapt to your needs, not relying on a one-size-fits-all model. For example, in a dedicated private cloud a solution can be designed to exact specifications for availability, scalability, threat prevention and other criteria. Using cloud resource pooling, as in a virtual private cloud, can combine reliable, logical segmentation and best practices with the agility and cost efficiency

of multi-tenancy.

“ In essence, meeting Security Rule requirements

constitutes HIPAA-compliant services from CSPs..” 03

here are many industry and governments regulations weighing on the minds of the regulated that we

haven’t covered here. The Federal Information Security Management Act (FISMA) for safeguarding data managed by federal agencies and their outsourced partners; and the Gramm-Leach-Bliley Act for protecting the privacy of consumer information held by financial institutions are just two of the many.

While it may be too broad a statement to say that a CSP committed to SSAE 16, PCI-DSS and HIPAA compliance is well equipped to

meet the requirements of other regulations, it should not be too much of a stretch to meet other obligations as well. Again, any claims by a CSP regarding compliance should be carefully vetted.

A capable CSP will provide as much information as possible to assure you of its capabilities. It will also work with you collaboratively to demonstrate compliance to regulatory authorities, and offer additional guidance on sustaining and improving your ability to comply with your regulatory

mandates over time.

T

- NAVIGATING THE REGULATORY LANDSCAPE -

“Again, any claims by a CSP regarding

compliance should be carefully vetted.”

SSAE 16 PCI-DSS HIPAA

04

“...a virtual private network with multi-factor authentication enables secure communication between servers and the cloud.”

- 24/7/365 TO COMPLIANCE AND SECURITY -

egulatory compliance establishes a good baseline for a secure infrastructure. At its most basic,

compliance means that requirements for those specific regulations – usually for that moment in time – are being met. As noted in an earlier chapter on PCI-DSS, it’s much more demanding and difficult to remain in compliance at all times.

A capable CSP makes it its business to maintain secure and compliant systems and infrastructures without exception. Many security features are integrated into basic services. More comprehensive services may be optional, which allows a customer to tailor its

solution and pay only for what’s really needed. Whether advanced services are needed with the initial engagement or not, knowing they are available as your needs change and grow is good insurance to have.

For example, a virtual private network with multi-factor authentication enables secure communication between servers and the cloud. Firewall configuration services and scheduled maintenance can ensure that it provides optimum security at all times. Other services may include intrusion detection and prevention, unified threat management, spam and virus protection, and data encryption support. Pre-configured security packages specifically for PCI-DSS or HIPAA compliance can take the

guesswork out of proper cloud provisioning.

R

05

hysical and logical infrastructure, people and best practices are essential for a secure environment. Finding

out who the CSP’s technology providers are will tell you a great deal about the robustness of its infrastructure. Best-in-class hardware, software, storage and network services vendors are good indications that the CSP invests in and maintains state-of-the-art facilities.

Efficiently designed facilities not only simplify operations and maintenance. They are also more cost efficient. All critical facilities systems, such as cooling, generators and uninterruptable power systems (UPS), should be redundant and maintained according to rigorous standards. Determine the extent and frequency of back-up, failover and emergency procedures testing performed by the CSP.

How secure is the data center itself from unauthorized access? Physical access to facilities

should be constantly monitored by trained staff, onsite 24/7/365, with video surveillance cameras throughout the building, inside and out. Only essential staff should have access to areas within the data center, requiring PIN-based cards or cards combined with biometric scans. Likewise, building access requires similar security measures.

Ask your prospective CSP about staff training with regards to security protocols and regulatory compliance, as well as technical skills training to keep personnel up on the latest products and technologies.

P

- THE INFRASTRUCTURE BEHIND THE CLAIMS -

“Physical and logical infrastructure, people and best practices are essential for a secure environment.”

147

258

369

06

- LOOK NO FURTHER -

ince inception, Peak 10 has proactively implemented the necessary safeguards within its data centers to assist customers

cost effectively meet regulatory compliance requirements. In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination under the Statement on Standards for Attestation Engagements (SSAE) 16 and International Standard on Assurance Engagements (ISAE) No. 3402.

To enhance its compliance reporting, Peak 10 successfully completed the following examinations in 2013:

• Type 2, SOC 1, reporting on Controls at a Service Organization (also known as SSAE 16). This report is an important component of controls over financial reporting for purposes of compliance with laws and regulations such as the Sarbanes-Oxley Act

• Type 2, SOC 2, reporting on controls at a service organization relevant to the following Trust Services principles:

• Security - The system is protected against

unauthorized access (both physical and logical).• Availability - The system is available for operation

and use as committed or agreed.• Type 2 SOC 3, SysTrust for Service

Organizations, which is an abbreviated version of Peak 10’s SOC 2 report, and is intended for broad use by interested parties.

• Payment Card Industry Data Security Standard (PCI DSS) for companies that collect, store or process payment card data.

• Health Insurance Portability and Accountability Act (HIPAA) for companies that need to keep electronic protected health information (ePHI) secure.

• Safe Harbor, permits data transfers from the EU on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive.

Federal Information Security Management Act (FISMA), which sets forth stringent requirements to safeguard data managed by

federal agencies and their outsourced partners.

S

“ ... In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination...”

07

Contact Us to Learn More

EMAIL SOLUTIONS@PEAK10.COM OR CALL 866.473.2510We would welcome the opportunity to better understand your compliance and data security needs, and explore how Peak 10 managed infrastructure and cloud services can help you achieve your objectives.

www.peak10.com