As Cloud Computing gains traction both among enterprises and consumers, security on the cloud still commands the greatest mind share when talking about reluctance in cloud adoption. While enterprises question security of their data and information, consumers are concerned about privacy related issues. Cloud Computing vendors are under tremendous pressure to demonstrate their commitment to address these hot buttons of their customers. In this context it pays for all stakeholders to be aware of some of the prevalent and widely accepted Security standards, the adoption of which helps alleviate some of the security concerns and push for greater cloud adoption.
SAS 70 - Statement on Auditing Standards No 70
What is it?
A well recognized auditing standard put in place by the American Institute of Certified Public Accountants (AICPA)
What does it do?
Modern data centers and hosting providers have to deal with their customers' data being processed or residing on their servers and storage devices. SAS 70 audit checks if the necessary safeguards and controls are in place at the data centers to ensure safety of customers' data.
Who asks for it?
Customers who want to enter into contracts with data centers, website hosting providers, cloud computing infrastructure providers typically enquire about SAS 70 compliance.
More Info @ http://www.sas70.com/
PCI-DSS - Payment Card Industry- Data Security Standard
What is it?
A defined standard by the PCI Security Standards Council that defines the needed protection to be put in place to ensure data safety while dealing with digital payments involving cards and information provided therein.
What does it do?
The standard framework specifies requirements for security management, policies, procedures, network architecture, software design and other aspects while dealing with card related information leading to digital payments. It specifies 12 requirements to be put in place. To ensure compliance a continuous 3 step process has to be established
- Assess: Take stock of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could giveaway cardholder data
- Remediate: Fix the revealed vulnerabilities
- Report: Generate records as specified by PCI DSS to validate remediation. Also submit compliance reports to the financial enterprises that you do business with.
Who asks for it?
Customers who want to enter into contracts with data centers, website hosting providers, cloud computing infrastructure providers typically enquire about SAS 70 compliance.
More Info @ https://www.pcisecuritystandards.org/
ISO 27001
What is it?
A Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
What does it do?
The standard attempts to bring a structure around information management in enterprises. As information becomes a key asset for enterprises, the need to define standard processes around Information Management and continually keep refining these became the driving factors for the establishment of this standard. The standard defines a model that covers legal, physical and technical aspects of information management. It is a top down, risk-based approach and is technology-neutral. The model is defined in 6 steps
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement
Who asks for it?
Customers while dealing with cross border transactions are more comfortable in ensuring that information passed on to other organizations are safe and do not fall into the false hands.
More Info @ http://www.27000.org/
Data Protection Directive (DPD)
What is it?
A set of European Union (EU) regulations that deal with personal data of individuals and their processing & movement.
What does it do?
With privacy laws being some of the most stringent among the European nations, the EU has made the DPD a part of its privacy and human rights laws. This directive governs both automated and non automated processing of data. It assumes significance in the cloud computing scenario as more and more online services require individuals to divulge personal data while subscribing to services.
The EU directive incorporates the seven principles recommended by OECD (Organization for Economic Cooperation and Development) earlier. The seven principles state
- Notice: Give the individual notice when data is being collected
- Purpose: State the purpose for which the data is being collected and data collected should be used only for this purpose
- Consent: Get the individual's consent before disclosing data
- Security: Ensure data collected is secure from potential misuse
- Disclosure: Individuals need to be informed on who is collecting their data
- Access: Individuals should be allowed access to their data and must be allowed to changer erroneous data.
- Accountability: Individuals should have an ability to hold the data collectors accountable for the above principles
Who asks for it?
EU directive is basically for the member nations who in turn have to enact laws to give the directive legal binding.
More Info @ http://www.dataprotectiondirective.com/
If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post