FeaturesSecurity Compliance

Deloitte on cloud risks II: Standards present and missing

By Carol Ko 08-May-2012

Peter Koo, partner, enterprise risk services, Deloitte China
Peter Koo, partner, enterprise risk services, Deloitte China
In Asia, banking and financial institutions are tip-toeing by the cloud for fear of breaching regulatory and compliance requirements unknowingly. Most cloud services adoption for now are for tactical, non-mission-critical applications, and by means of setting up their infrastructure in a private cloud environment.

In this second part of an interview with Asia Cloud Forum (read Part I here), Peter Koo (pictured), partner of Deloitte China enterprise risk services says the absence of specific regulatory guidance is one of the barriers of cloud adoption. There is also a lack of auditing standards that provide direction and guidance for proper cloud implementation with appropriate security and privacy measures.

In light of this, Koo suggests to include several components of the auditing and compliance standards of cloud computing. He details some commonly adopted standards that address different risk areas in terms of procedures and technical items. And to satisfy many curious minds, Koo answers the question, "Is the more standards adopted, the better?"

What auditing and compliance standards are lacking in the market that hinders cloud adoption by banking and financial institutions?

Koo: Primarily, banks are concerned about the location and security of the customer data, especially in a public cloud environment where customer's data can be stored and moved among data centers in different parts of the world. Even if the data is stored locally, banks would face the inconsistency challenges, meaning that regulations for cloud computing will be interpreted, audited and enforced differently.

"Even if the data is stored locally, banks would face the inconsistency challenges, meaning that regulations for cloud computing will be interpreted, audited and enforced differently."

 

-- Peter Koo, partner, enterprise risk services, Deloitte China


A comprehensive regulatory and compliance guidelines or standards can provide companies with some benchmarks to evaluate whether there is sufficient level of security controls of the cloud platform. With the absence of such guidelines at the moment, there is no doubt that enterprises would have certain fear of unknown which slows down the adoption of the cloud technology.

We suggest that the below components of the auditing and compliance standards of cloud computing should be included but not limited to:

The cloud computing technology is still under development. Currently, the existing standards can only fulfill part of the compliance requirements and no comprehensive cloud-specific standard has been released so far.

What are the applicable standards that aid governance and compliance?

Koo: While the Statement on Standards for Attestation Engagements 16 (SSAE16), the replacement of SAS70, is the most widely used form of third-party risk evaluation for service providers, other Service Organization Control (SOC) standards are focusing on the financial reporting processes and controls related to security, compliance, and operations.

"[T]here is also a need to enhance the existing standards to cover new dimensions, including cross-data jurisdiction and sharing of virtual space"

 

-- Peter Koo, Deloitte China


For ISO 27001, it is another popular certificate which specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. 

These standards, which address different risk areas in terms of procedures and technical items, can help meet governance and compliance requirements of cloud computing.

However, for some other specific industries, such as healthcare and government agencies, they may need additional standards to comply with the industrial regulations. Very often, these organizations may require to handle personal information and medical records. As a result, we need special cares in terms of physical/logical security and privacy.

As the concept of cloud computing is similar to that of IT outsourcing, some existing standards can cover most areas of cloud computing. However, there is also a need to enhance the existing standards to cover new dimensions, including cross-data jurisdiction and sharing of virtual space, ideas that are introduced by cloud computing.




Tags:
banking and finance, best practices, compliance, data security, Deloitte, ISO 27001, regulatory, risk management, SAS 70, SSAE16, standards




RELATED ARTICLES
Deloitte on cloud risks I: The risks less visible


0 reader's comment