Compliance environments that experts cite as important for cloud computing included auditing-related standard SAS 70, Payment Card Industry Data Security Standards (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA.)
SAS 70 refers to "Statement on Auditing Standards 70: Service Organizations," issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). According to Judith Sherinsky, manager of audit and test standards at the AICPA in New York, "SAS 70 applies when an audited entity sends data to a service organization, which does something to that data and sends it back to the user, who uses that data in its financial statements." An example is if corporate inventory data is sent to a cloud-based datacenter where a total valuation will be assigned to it -- a valuation that will later show up in the corporation's annual report.
Compliance with SAS 70 is fairly involved. It requires the following components, Sherinsky explains. Whichever vendor or entity is managing the cloud has to be able to describe what is happening, where the information comes in, what the vendor does when it gets the information, how it gets back to the users, the controls over the processing of the data, and most important, what is happening to the data when it gets to the cloud.
So, the basis of SAS 70 cloud compliance, Sherinsky explains, is that if there are material numbers coming from data that has been stored or in any way acted upon by a cloud vendor, there needs to be a full understanding of what's going on and who's doing what. "Ultimately, we say that the management of the user entity is responsible for their data, and they need to know what is going on with their data, or hire somebody who does."
With SAS 70, "you are building a control framework that your auditor feels is appropriate," added Day at Terremark. "For instance, SAS 70 does not talk about encryption, but I can make encryption part of my audit framework, and SAS 70 will show that I am doing it."
Bryce at Mosso noted that compliance with Sarbanes-Oxley (concerning corporate financial controls) and Gramm-Leach-Bliley (concerning, among other things, banking privacy) can be incorporated into SAS 70 compliance.
Additionally, "one of the benefits of having SAS 70 is that it is seen as an operational certification to help satisfy HIPAA requirements," Day said. "As a HIPAA-regulated organization, you have to ensure that all your business partners are also HIPAA compliant. They like to see SAS 70, since it checks a lot of things on the list."
Compliance with PCI DSS is complicated by the fact that part of the processing of credit card transactions must take place within the merchant's point-of-sale system, even if the rest takes place in the cloud.
"There are two components, ours and the customers'," Day said. "We go through annual audits to make sure that we meet all service provider criteria for PCI compliance, but that does not mean that the customer is PCI compliant. The customer is starting ahead by using us, but they still have to add their own controls and technology."