Regulatory Compliance Risks in Cloud Computing

Audit records

As a matter or policy, certain cloud providers do not provide internal operational reports of the systems supporting their cloud services to their external customers.

This makes it very difficult for customers to obtain auditable records for the systems provisioned for their solicited services. Significant variability exists for the audit tools of individual service providers and thus requires evaluation as a possible requirement for compliance with regulatory requirements.

To address this risk, the organization should do the following:

  • Establish an understanding with the service provider on standing modalities to ensure that supporting systems are audited and verified. This can either be through an internal audit conducted by the organization’s audit team or through an third-party verification using SSAE16SOC1 and SOC3 reports, which must be included in the contract agreement.
  • Request copies of the past relevant service provider SAS70/SSAE16 reports or maintain regular audits of the provider.
  • Maintain contractually mandate appropriate audit reports to meet the organization’s needs.

Storage location

A cloud service provider may choose to store or transfer an organization’s data on servers located outside the region of a legal jurisdiction or country where the organization is located, and this may not be acceptable based on regulations guiding the operations of the organization.

To check this risk, the organization can do the following:

  • Make its legal and regulatory requirement accessible to the service provider to understand the data storage restrictions and policies that exist in the organization.
  • Contractually commit the service provider to matters regarding storage location restrictions as it legally affects the organization.

Lack of breach notice

Sometimes, cloud service provides may breach an organization’s regulatory compliance requirement while the concerned organization is unaware for some time after the breach has occurred.

To address this risk, the organization can do the following:

  • Allocate cloud resources only to such data applications with no regulatory compliance requirements.
  • Contractually commit a cloud service provider to report immediately of the event of a possible breach.