Every Cloud Has a Dark Lining

“The only thing that saves us from the bureaucracy is its inefficiency.” 

— Eugene McCarthy

We’ve all seen the news reports on the ability of “computer hackers” to access electronic information that is reportedly well protected. These reports are relatively ominous. Millions of individuals have had their credit-card information illegally obtained. 

Hackers around the globe have had success in penetrating what we would normally consider to be the most secure electronic information. For example, the National Security Agency database as well as the Defense Department and major international banking institutions have all been made keenly aware of system firewall vulnerability. 

Most of these data breaches have resulted from the trend toward cloud computing. In simple terms, cloud computing is the mass centralization of computing resources that is made available to a multitude of users. 

I recently spoke with Carl Cadregari, a certified information systems auditor in the Enterprise Risk Management Division of The Bonadio Group, and Alfonzo Cutaia an attorney in the Information Technology & Internet Practice Group of the Buffalo law firm Hodgson Russ LLP about this topic. The purpose of this column is to examine the multitude of compliance and security considerations that must be evaluated, particularly if you are using cloud computing.

Regulatory compliance in the cloud 
You may need to Google some or all of the acronyms in order to fully understand regulatory compliance requirements in this area — FISMA, HIPAA, HITECH, GLBA, PCI DSS, FERPA, CIPA, SOX, MASS201, SB1386, NYISBNA, and 21CFR11. If any of these sound familiar, then you know you must have auditable requirements and actions in order to maintain your compliance with these and other data-security regulations.

Therefore, you need a thorough understanding of how using cloud computing affects your responsibilities and compliance actions. Generally, most laws and regulations require that you demonstrate that your cloud provider (or ASP, SaaS provider, and/or outsourcing host) has at least the same or similar controls as you have in place in your internally hosted systems to protect the data as required by law. 

So, if your organization relies on a cloud-based, third-party payment processor that also has collection responsibility, and to which you send personally identifiable information, what does that cloud provider have to do? What do you have to do? And what happens when data is lost, inappropriately accessed, or otherwise compromised?

Assuring your cloud
The use of cloud resources can be highly beneficial to most any business — but you should always know the risks, use the appropriate resources and experts from the audit and legal community, and be prepared to answer the following questions. These questions are the most basic that should be answered when contemplating the use of a cloud provider; you should be prepared to have in-depth technological, legal, and business conversations on each. In all cases, an uncertain or negative answer from the vendor should be considered a potential deal breaker since even one poor control could be used to exploit all of your data. 

One overarching question needs to be answered for your entire project: Who is your independent auditor for all of these areas, and how often does it perform audits?

Security
- How is data encrypted at rest and in transit?

- How is data protected from unauthorized access?

- How is data disposed of?

- How is cloud provider internal security handled? 

- Administrative controls

- Physical controls

- Logical controls

- What rights and abilities do we have in the case of a breach (e.g., right to audit, ability to perform forensics investigations)?

- What reporting obligations does the provider have to notify users of security breaches (e.g., indemnification for breaches)? 

- What actions have you/the provider taken to prevent attacks?

- What protections do you require we have in place?

- How do we reliably demonstrate and communicate security procedures to clients?

- How much ability do you give to your customers to perform their own assurance procedures, such as security scanning or audits?

- How do we handle overlapping or contradictory interstate regulations on data privacy?

Compliance
- What compliance standards do you meet?

- How do you maintain compliance before, during, and after a move to cloud computing?

- What third-party assurance (e.g., SAS 70, WebTrust, Systrust, etc.) documentation is in place assuring compliance?

- How can you track the physical location of your data for compliance (e.g., certain laws prevent data being stored in certain countries)?

- Beyond just data security, what documentation will the vendor provide that will allow us to maintain compliance requirements such as those in Sarbanes-Oxley?

- Are we prepared to maintain the needed internal controls and compliance to the levels required by all of our data?

- At what point are we providing too much information regarding internal controls and procedures, and endangering our business?

Availability
- How much uptime is guaranteed?

- Is there a guaranteed service level? Who monitors it? What reimbursements will occur if the guaranteed level is not met? 

- Now that we access all services over the Internet, do we have enough bandwidth for all employees, and/or does our provider have enough power and bandwidth to service our needs?

- Can our service be interrupted based on the activity of non-related cloud consumers (e.g., hard-drive subpoena)?

- How is information segregated between clients?

- How will assurance be provided by the cloud company regarding availability?

- To what level are you (cloud provider) responsible, fiscally, legally, or otherwise, for lost business as a result of your service outages or issues? 

- What are your disaster recovery and business-continuity plans now that we have a cloud infrastructure?

Operations
- How can we monitor the load and performance of the cloud?

- How can you assure me that we are being billed fairly for our usage?

- What tools are available and allowed to monitor security in our cloud?

Cost of a data breach
In the current environment, misappropriated data, stolen and lost physical assets, and unintentional and intentional breaches occur with frightening regularity to every type and size of business. The recent initial study done by the Ponemon Institute, a prominent research firm on this topic, regarding the cost and frequency of cyber crimes shows that the companies surveyed each had at least one successful cyber crime per week. And, the annual cost of managing those attacks exceeds $3.8 million. 

The report detailed costs in most every business area affected, cyber-crime detection, avoidance, incident management, asset loss, etc., but did not include non-compliance fines, sanctions, and lawsuits, which could easily double the true costs. Just look at some of the fines being levied: Rite Aid to pay $1 million for a HIPAA violation, $40.9 million for TJX for lost credit-card data, $750,000 for Health Net of NE for a lost hard drive, and California’s health agency fines six hospitals more than $790,000 for a privacy data breach. The list goes on and on.

As cloud computing grows, so will its exposure and use in criminal activity, as will the need for cloud forensics. Case in point, just take a look at any of the recent headlines or on any of the data breach websites like www.cloutage.org (founded by the Open Security Foundation). In 2010, of the 322 incidents reported, 54 incidents identified data lost, the cloud provider was hacked or a cloud vulnerability was found.  

Remember, it is always your responsibility to keep your data confidential, maintain its integrity, assure its availability, and meet your obligations under regulations and laws; just don’t lose your head because of the cloud.       

Gerald J. Archibald, CPA, is a partner in charge of management advisory services at The Bonadio Group. Contact him at garchibald@bonadio.com