In the early days of the cloud, many organizations who needed to worry about compliance would not even look at the cloud. They had enough trouble managing compliance on premises, how on Earth would why manage in the cloud? Cloud compliance was, and still is very important to many organizations. These cloud compliance requirements spurred a number of smaller very specialized players, many who were not around for very long. This left organizations with a bad taste in their mouth when it came to cloud compliance.
That was then. Now, our friends at AWS have made great strides in helping organizations meet cloud compliance requirements. Cloud compliance is unique in that it requires the careful attention of both the customer, and the cloud provider. While the cloud provider is responsible for meeting many of these cloud compliance requirements, it does not mean the customer is off the hook. Cloud compliance is a balancing act between the controls on premises and in cloud data centers.
Cloud Compliance and You
If you are looking to learn more about AWS’ commitment to cloud compliance, the AWS website is a good starting point. Here you will be able to find a number of resources to find more information for anyone who is concerned with cloud compliance. AWS has also introduced a learning path specifically geared towards auditors who want to ensure their organizations are adhering to cloud compliance requirements. The offerings range from instructor led courses to self paced labs to a free AWS Security Fundamentals course. This course is a fantastic resource to for anyone looking to learn more about AWS security, not just those bound by cloud compliance requirements.
AWS a number of cloud compliance assurance programs in place. These programs range from local programs such as GxP in the United States (have I ever mentioned how much I love GxP?) to the globally used Payment Card Industry Data Security Standard, more commonly referred to as PCI DSS. There are many many more programs in place, which you can find listed here.
Many organizations must worry about PCI DSS compliance, and AWS is certified as PCI DSS Level 1 Service Provider. This means AWS stores processes, or transmits over 300,000 transactions annually. If you aren’t familiar with the PCI DSS standards, you can download them directly for free from PCI. If you are looking for a gross oversimplification of these standards, it is all about protecting cardholder data in different ways throughout an organization, from the network, to the organization’s personnel.
Deploying With Cloud Compliance in Mind
AWS offers a Quick Start solution for PCI DSS. This solution sets up an environment which is ready to go in about 30 minutes. For more information, you can view the Quick Start Reference Deployment Guide here.
Beyond the PCI DSS Quick Start solution, there are also multiple cloud compliance Quick Start solutions available for the Unite States’ National Institute of Standards and Technology, also known as NIST. The NIST Quick Start is cable of providing cloud compliance for the following standards:
- NIST SP 800-53
- NIST SP 800-171
- FedRAMP TIC Overlay
- DoD Cloud Computing SRG
Both of these cloud compliance Quick Start solutions also feature ready to use Microsoft Excel control spreadsheets which are downloadable. These are a great starting point for anyone using a cloud compliance based Quick Start to see what controls have been implemented in their newly deployed environment.
It is important to remember that simply moving to the cloud does not remove compliance requirements, it simply shifts some of them. The issues which can be raised by compliance requirements are addressed two fold: by the organizations impacted by the requirements, and by the cloud hosting providers.