Cloud Compliance

Numerous national and industry regulations apply to corporate data stored in the cloud. We’ve summarized each one with recommendations to ensure compliance.

Complying with the Law

Depending on your organization’s industry and what countries you operate in, there are likely one or more compliance regulations you’re required to follow. These regulations frequently mandate how you can treat personally identifiable information (PII), protected health information (PHI), payment card data, and other regulated data. McAfee CASB can help you meet these compliance requirements as data moves to the cloud by enforcing data loss prevention policies, access policies, and encrypting data stored in the cloud. The first step is understanding what regulations apply to your organization and how those regulations impact your cloud usage. We’ve summarized some of the most common regulatory requirements below. For more information, view the detailed page on each requirement.

PCI DSS (Payment Card Industry Data Security Standard)

PCI is not a law, but it’s a standard that’s required for all organizations that handle or process payment card information. It’s administered by an independent body that represents the major payment card brands including Visa, MasterCard, and American Express. There are 12 requirements for PCI with detailed sub-requirements. Failure to comply with these rules can result in fines levied by the acquiring bank, increased transaction fees, or termination of card processing.

HIPAA and HITECH (Health Insurance Portability and Accountability Act & Health Information Technology for Economic and Clinical Health Act)

These U.S. laws apply to health insurance companies, health care clearinghouses, and healthcare providers such as doctors and hospitals. Together, HIPAA and HITECH require organizations to safeguard protected health information. In the event of a breach, mandatory disclosure rules require you to report data loss, resulting in fines, loss of business, and litigation. However, by encrypting data, you can avoid these breach notification requirements if encrypted data is leaked.

GLBA (Gramm-Leach-Bliley Act)

This U.S. law applies to financial institutions and mandates they protect the security and confidentiality of their customers’ personal information. There is a requirement to disclose to customers where their information is being stored, what steps have been taken to protect their data, and to provide customers with an opt-out of data being shared with third parties. Some cloud providers claim the right to share data uploaded to their service with third parties, complicating compliance with the law.

SOX (Sarbanes–Oxley Act)

Sarbanes-Oxley is a U.S. law that applies to public companies. Under the law, companies are responsible for accounting and financial wrongdoing, even if it’s the result of actions by a third party such as a cloud provider. As a result, companies covered by the law should look for cloud providers that have SAS 70 or SSAE 16 auditing standards in place. Just 21% of cloud providers have one of these auditing standards in place, creating the need for an independent registry of cloud providers.

GDPR (EU General Data Protection Regulation)

This regulation will take effect in 2018 and supersede the current EU Data Protection Directive. It will apply to any organization based anywhere in the world that handles data on EU citizens and residents. The regulation is wide-ranging, giving citizens rights to data deletion, transfer and updating, widening the responsibility for data safety to anyone who handles the data, clearly rules about informing users of their rights, mandatory breach notification and fines up to 4% of global turnover. For more info: GDPR Infographic and GDPR Action Guide For IT.

FIPS 140-2 (Federal Information Processing Standard Publication 140-2)

FIPS 140-2 is a U.S. government security standard issued by the National Institute of Standards and Technology (NIST) providing accreditation of cryptographic modules. U.S. federal agencies are required to use FIPS-certified encryption modules in cases where encryption is mandated, but NIST does not specify which levels are appropriate for different applications. For the private sector, FIPS 140-2 signals that an encryption solution meets the highest security standards.

FISMA (Federal Information Security Management Act)

FISMA is a law that applies to the U.S. federal government. The law requires agencies to develop, document, and implement a security program that includes both technology managed by the agency as well as technology managed by third parties such as cloud providers. To achieve FISMA compliance, cloud providers need to meet FISMA standards, be hosted in a FISMA-compliant data center, and have Authority to Operate (ATO). FISMA also mandates the government to use FIPS 140-2 compliant encryption.

ITAR (International Traffic in Arms Regulations)

ITAR is a U.S. law that applies to U.S. citizens and organizations. The law restricts the export or sharing of certain types of defense-related technology outside the U.S. to protect U.S. national security. Enforcement has increased substantially in recent years, with a $100 million fine levied against a company for unlawfully exporting night vision technology. Encrypting sensitive data is not enough, the Department of State recommends tokenizing data before uploading to the cloud.

Federal Information Technology Acquisition Reform Act (FITARA)

Enacted in December 2014, the Federal Information Technology Acquisition Reform Act (FITARA) is intended to improve the acquisition and management of federal IT assets. Overall, there is optimism about its impact; 84% of IT professionals believe that FITARA will improve federal IT efficiency. Chief among its expected benefits are reducing the amount of waste and duplicative IT systems and improving communication and visibility within agency IT teams.