Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
[[File:NIST Cloud Computing Security Reference Architecture (9029002396).jpg|right|500px|thumb|'''Figure 3.''' The ''NIST Cloud Computing Security Reference Architecture'' provides a security overlay to the ''NIST Cloud Computing Reference Architecture'', published in 2011.]]In a 2010 Cloud Computing Adoption Survey by Mimecast, the leading response (46 percent of surveyed IT managers) to the question "Why did you decide against moving to the cloud?" was "security concerns."<ref name="MimecastCloud10">{{cite web |url=https://system.netsuite.com/core/media/media.nl?id=181214&c=601905&h=2ef3796f7c4d9c8a585e&_xt=.pdf |format=PDF |title=Cloud Computing Adoption Survey |author=Mimecast |date=2010 |accessdate=21 August 2021}}</ref> In a separate survey published around the same time by the IEEE and Cloud Security Alliance, "93 percent of respondents said the need for [[cloud computing]] security standards is important; 82 percent said the need is urgent."<ref name="CSASurvey10">{{cite web |url=https://cloudsecurityalliance.org/press-releases/2010/03/01/survey-by-ieee-and-cloud-security-alliance-details-importance-and-urgency-of-cloud-computing-security-standards/ |title=Survey by IEEE and Cloud Security Alliance Details Importance and Urgency of Cloud Computing Security Standards |author=IEEE; Cloud Security Alliance |publisher=Cloud Security Alliance |date=01 March 2010 |accessdate=21 August 2021}}</ref> Fast-forward 10 years and it's easy to see worries about cloud security have eased somewhat in comparison. A Cloud Threat Report by Oracle and KPMG in 2020 found that "40% of [[cybersecurity]] and IT professionals from private and public businesses perceive public clouds as more secure than on-premise environments ... 12% believe public clouds are no more secure or insecure than what they can deliver with on-premises environments, and 2% think public clouds are less secure."<ref name="Bizga40_20">{{cite web |url=https://securityboulevard.com/2020/05/40-of-it-professionals-believe-that-public-clouds-are-more-secure-than-on-premise-environments/ |title=40% of IT professionals believe that public clouds are more secure than on-premise environments |author=Bizga, A. |work=Security Boulevard |date=19 May 2020 |accessdate=21 August 2021}}</ref> A survey less than a year before found similar numbers, also noting, however, that while confidence in cloud security was strong, a strong majority of respondents (71 percent) still believe there are at least moderate concerns about "malicious activity in cloud systems."<ref name="CCCloud19">{{cite web |url=https://www.continuitycentral.com/index.php/news/technology/4384-cloud-is-safer-than-on-premise-say-that-majority-of-security-leaders |title=Cloud is safer than on-premise say that majority of security leaders |publisher=Continuity Central |date=04 September 2019 |accessdate=21 August 2021}}</ref>
Numerous organizations have taken up the mantle in developing and disseminating cloud compliance standards, guidelines, and recommendations since the late 2000s, some independently (e.g., the Storage Networking Industry Association) and others by government mandate (e.g., National Institute of Standards and Technology). Some organizations have tailored their content to a specific industry (e.g., PCI Security Standards Council and the financial industry), while others have focused on a sector of business (e.g., FedRAMP and the U.S. Federal government). As the development of these standards, guidelines, and recommendations has continued, the groundwork has been created for future updates. NIST's early work with its SP 500-293 ''NIST Cloud Computing Technology Roadmap, Volume I and II'' and SP 500-299 ''NIST Cloud Computing Security Reference Architecture'' (Figure 3) have gone on to further define a modern approach to categorizing, evaluating, comparing, and selecting cloud services.<ref name="SimmonEval18">{{cite web |url=https://www.nist.gov/publications/evaluation-cloud-computing-services-based-nist-sp-800-145 |title=Evaluation of Cloud Computing Services Based on NIST SP 800-145 |author=Simmon, E.D. |publisher=NIST |date=23 February 2018 |accessdate=21 August 2021}}</ref> And those documents were influenced by even earlier work by the Cloud Security Alliance's Enterprise Architecture efforts.<ref name="CSAEnt20">{{cite web |url=https://cloudsecurityalliance.org/artifacts/enterprise-architecture-reference-guide-v2/ |title=CSA Enterprise Architecture Reference Guide v2 |publisher=Cloud Security Alliance |date=2020 |accessdate=21 August 2021}}</ref>


To be sure, there are undoubtedly opportunities for malicious activity within the cloud, which has its own share of complexities. While cloud computing is internet-based (i.e., networked), a networking approach based on normal internet and network standards is not sufficient to address the complexities inherent to many cloud computing implementations.<ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref> From integrating public and private clouds to meeting regulations mandating localized data storage, additional considerations must be made as to how best ensure standardized cloud services remain driven on solid security principles. With the transition to cloud, on-site data storage has moved online, with its own set of security nuances. Additionally, increased scalability, interfacing, and proximity to other networked data and systems adds more complexity to security.<ref name="KasperskyWhatIs">{{cite web |url=https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security |title=What is Cloud Security? |work=Resource Center |publisher=AO Kaspersky Lab |date=2021 |accessdate=21 August 2021}}</ref> As complexity is added, a more standardized approach is called for. Just as the Cloud Native Computing Foundation's (CNCF's) Certified Kubernetes Conformance Program attempts to ensure a standardized conformance of all Kubernetes instances to the Kubernetes [[application programming interface]]s (APIs) for consistency and interoperability across cloud platforms<ref name="SarrelWhyCloud20">{{cite web |url=https://www.hpe.com/us/en/insights/articles/why-cloud-native-open-source-kubernetes-matters-2002.html |title=Why cloud-native open source Kubernetes matters |author=Sarrel, M. |work=enterprise.nxt |publisher=Hewlett Packard Enterprise |date=04 February 2020 |accessdate=21 August 2021}}</ref>, standards organizations like the Institute of Electrical and Electronics Engineers (IEEE), [[International Organization for Standardization]] (ISO), and National Institute of Standards and Technology (NIST) develop standards and guidelines to ensure quality and security across all cloud computing platforms.<ref name="IEEE2301_20">{{cite web |url=https://standards.ieee.org/standard/2301-2020.html |title=IEEE 2301-2020 - IEEE Guide for Cloud Portability and Interoperability Profiles (CPIP) |publisher=IEEE Standards Association |date=30 January 2020 |accessdate=21 August 2021}}</ref><ref name="KirvanTop20">{{cite web |url=https://searchcompliance.techtarget.com/tip/Top-cloud-compliance-standards-and-how-to-use-them |archiveurl=https://web.archive.org/web/20201221150028/https://searchcompliance.techtarget.com/tip/Top-cloud-compliance-standards-and-how-to-use-them |title=Top cloud compliance standards and how to use them |author=Kirvan, P. |work=TechTarget SearchCompliance |date=17 December 2020 |archivedate=21 December 2020 |accessdate=21 August 2021}}</ref>
The work to improve and expand upon existing standards continues today, even as new service models for cloud computing emerge. Examples of the prior mentioned and other organizations contributing to these efforts are shown in Table 3.


The next few sections examine the various organizations, agencies, and industries developing and promoting standards, guidelines, and recommendations that shape the proper use of cloud computing platforms. Note that you won't see much about [[Laboratory|laboratories]] and cloud computing in this chapter, as we pan outward and look at cloud standards and security from up high. We'll focus on how all this information relates to laboratories in the coming chapters.
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="3"|'''Table 3.''' Organizations that have developed and are developing cloud compliance standards, guidelines, recommendations, and frameworks
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Organization
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Description
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Link to standards, etc.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Crown Commercial Services and G-Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Though not a standards organization, the U.K. Crown Commercial Service's (CSS's) G-Cloud program and framework allows companies considering selling cloud-based services to the U.K. government to make their services available "through a front-end catalogue called the Digital Marketplace." The framework agreements place specific requirements on the various services being offered by the provider, and in return, the provider can bid on government opportunities without going through the full procurement process.<ref name="AdviceCloudUltimate">{{cite web |url=https://advice-cloud.co.uk/ultimate-guide-gcloud/ |title=Ultimate Guide to G-Cloud |publisher=AdviceCloud |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.gov.uk/government/publications/g-cloud-12-framework-agreement G-Cloud standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|DMTF
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Formerly known as the Distributed Management Task Force, DMTF "creates open manageability standards spanning diverse emerging and traditional IT infrastructures."<ref name="DMTFAbout">{{cite web |url=https://www.dmtf.org/about |title=About DMTF |publisher=DMTF |accessdate=21 August 2021}}</ref> This includes cloud standards, [[virtualization]] standards, networking standards, and more.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.dmtf.org/standards/cloud DMTF standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|European Telecommunications Standards Institute
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ETSI "supports the timely development, ratification and testing of globally applicable standards" for information and communications technology (ICT) hardware, software, and services.<ref name="ETSIAbout">{{cite web |url=https://www.etsi.org/about |title=About ETSI |publisher=European Telecommunications Standards Institute |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.etsi.org/standards#page=1&search=cloud ETSI standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|General Services Administration and FedRAMP
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Though not a standards organization, the U.S. General Services Administration's (GSA's) FedRAMP program "provides a standardized approach to security authorizations for cloud service offerings" for the U.S. Federal government.<ref name="FedRAMP">{{cite web |url=https://www.fedramp.gov/ |title=FedRAMP |publisher=General Services Administration |accessdate=21 August 2021}}</ref> FedRAMP "standardizes security requirements for the authorization and ongoing cybersecurity of cloud services" as authorized by a number of regulations and policies.<ref name="FedRAMPProg">{{cite web |url=https://www.fedramp.gov/program-basics/ |title=Program Basics |publisher=General Services Administration |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.fedramp.gov/documents-templates/ FedRAMP standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|IEEE Standards Association
  | style="background-color:white; padding-left:10px; padding-right:10px;"|IEEE's Standards Association, which attempts "to facilitate standards development and standards related collaboration," has a Cloud Computing Initiative that has developed several working drafts related to cloud computing.<ref name="IEEESAStandards">{{cite web |url=https://cloudcomputing.ieee.org/standards |title=Standards in Cloud Computing |author=IEEE Cloud Computing Initiative |publisher=IEEE Standards Association |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloudcomputing.ieee.org/standards IEEE SA standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization (ISO)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The ISO is a primary global standards organization that has been developing a wide variety of standards for decades. Numerous cloud-computing standards have been published under International Classification for Standards (ICS) code 35.210.<ref name="ISO35.210">{{cite web |url=https://www.iso.org/ics/35.210/x/ |title=ICS > 35: 35.210 Cloud Computing |publisher=International Organization for Standardization |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.iso.org/ics/35.210/x/ ISO standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Telecommunication Union (ITU)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The ITU is the United Nation's specialized agency for information communication technologies (ICTs). Among their activities, the agency develops technical standards and facilitates international connectivity in communication networks.<ref name="ITUAbout">{{cite web |url=https://www.itu.int/en/about/Pages/default.aspx |title=About International Telecommunication Union (ITU) |publisher=International Telecommunication Union |accessdate=21 August 2021}}</ref> Many recommendation documents have been developed through its Telecommunication Standardization Sector (ITU-T), SG13 Study Group, including cloud computing recommendations (Y Series).
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=13 ITU-T standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST is a U.S. Department of Commerce institute which focuses on scientific measurement and standardization. They have developed a numbers roadmaps, guidelines, and definitions through its SAJACC<ref name="NISTStand18">{{cite web |url=https://www.nist.gov/itl/standards-acceleration-jumpstart-adoption-cloud-computing-sajacc |title=Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) |publisher=National Institute of Standards and Technology |date=03 June 2018 |accessdate=21 August 2021}}</ref> and NCCP<ref name="NIST_NCCP19">{{cite web |url=https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp |title=NIST Cloud Computing Program - NCCP |publisher=National Institute of Standards and Technology |date=09 July 2019 |accessdate=21 August 2021}}</ref> initiatives.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.nist.gov/news-events/news-updates/topic/248706 NIST standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OMG Cloud Working Group
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Previously known as the Cloud Standards Customer Council (CSCC), OMG's Cloud Working Group (CWG) "publishes vendor-neutral guidance on important considerations for cloud computing adoption, highlighting standards, opportunities for standardization, cloud customer requirements, and best practices to foster an ecosystem of open, standards-based cloud computing technologies."<ref name="OMGCloud">{{cite web |url=https://www.omg.org/cloud/ |title=Cloud Working Group |publisher=Object Management Group |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.omg.org/cloud/deliverables/index.htm CWG standards, etc.]
|- 
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Open Grid Forum (OGF)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The OGF is "an open global community committed to driving the rapid evolution and adoption of modern advanced applied distributed computing, including cloud, grid and associated storage, networking and workflow methods."<ref name="OGFHome">{{cite web |url=https://www.ogf.org/ogf/doku.php |title=Open Grid Forum |publisher=Open Grid Forum |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ogf.org/ogf/doku.php/documents/documents OGF standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Organization for the Advancement of Structured Information Standards (OASIS)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OASIS Open is a standards body that "offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement."<ref name="OASISAbout">{{cite web |url=https://www.oasis-open.org/org/ |title=About Us |publisher=OASIS Open |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oasis-open.org/standards/ OASIS Open standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|PCI Security Standards Council (PCI SSC)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|PCI SSC "is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide."<ref name=PCISecAbout">{{cite web |url=https://www.pcisecuritystandards.org/about_us/ |title=About Us |publisher=PCI Security Standards Council |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.pcisecuritystandards.org/document_library PCI SSC Open standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Storage Networking Industry Association (SNIA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|SNIA develops and promotes "vendor-neutral architectures, standards, and educational services that facilitate the efficient management, movement, and security of information,"<ref name="SNIAVision">{{cite web |url=https://www.snia.org/about/vision-mission |title=Vision and Mission |publisher=Storage Networking Industry Association |accessdate=21 August 2021}}</ref> including the Cloud Data Management Interface (CDMI) standard.<ref name="SNIAStand">{{cite web |url=https://www.snia.org/tech_activities/standards/curr_standards |title=Standards Portfolio |publisher=Storage Networking Industry Association |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.snia.org/tech_activities/standards/curr_standards SNIA standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The Open Group
  | style="background-color:white; padding-left:10px; padding-right:10px;"|This organization attempts "to capture, clarify, and integrate current and emerging requirements, establish standards and policies, and share best practices."<ref name="TOGHome">{{cite web |url=https://www.opengroup.org/ |title=The Open Group |publisher=The Open Group |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.opengroup.org/subject-areas-0 Open Group standards, etc.]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|TM Forum
  | style="background-color:white; padding-left:10px; padding-right:10px;"|This global alliance attempts "to collaboratively solve complex industry-wide challenges, deploy new services and create technology breakthroughs to accelerate change."<ref name="TMForumAbout">{{cite web |url=https://www.tmforum.org/about-tm-forum/ |title=About Us |publisher=TM Forum |accessdate=21 August 2021}}</ref> As a result of this collaboration, several technical documents and guides related to cloud computing have been developed.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.tmforum.org/?s=cloud&post_type=product TM Forum standards, etc.]
|-
|}
 
However, organizational standards, guidelines, and recommendations alone do not influence how cloud computing services can and should be implemented and operated. Regulatory bodies, legislative bodies, and government agencies also directly or indirectly have an impact on cloud service operations. In some cases, the law, regulation, or guidance coming from such bodies may not even mention "cloud computing," yet because they mandate how specific data and information can be managed, used, and distributed, they ultimately influence what a cloud service provider (CSP) does and how they do it. This can be observed by more than a few of the examples in Table 4. The California Consumer Privacy Act, for example, makes no mention of the word "cloud," but CSPs and cloud users alike must consider aspects of the regulation, e.g., what can and cannot be done with a consumer's information based on location of the stored information.<ref name="Cal1.18.5">{{cite web |url=https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 |title=TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100] |work=California Legislative Information |publisher=Legislative Counsel Bureau |accessdate=21 August 2021}}</ref>
 
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 4.''' Examples of some common regulations, recommendations, and guidance that shape the proper use of cloud-computing platforms
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Regulation, recommendation, or guidance
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Creator
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Description
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Link
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|California Consumer Privacy Act (CCPA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The State of California
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The CCPA "provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the 'sale' of their personal information."<ref name="GoogleCCPA">{{cite web |url=https://cloud.google.com/security/compliance/ccpa |title=California Consumer Privacy Act (CCPA) |publisher=Google Cloud |accessdate=21 August 2021}}</ref> Cloud solutions such as Google Cloud attempt to help users meet CCPA obligations, as well as meet their own commitments.<ref name="GoogleCCPA" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Computing Regulatory Framework (CCRF)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Kingdom of Saudi Arabia
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The KSA's CCRF "is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses."<ref name="GuseyvaData20">{{cite web |url=https://incountry.com/blog/data-residency-laws-by-country-overview/ |title=Data residency laws by country: An overview |author=Guseyva, V. |work=InCountry |date=18 September 2020 |accessdate=21 August 2021}}</ref> It is one of only a few existing cloud-specific regulatory frameworks created by a government.<ref name="GuseyvaData20" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.citc.gov.sa/en/RulesandSystems/RegulatoryDocuments/Pages/CCRF.aspx Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Principles
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Government of the United Kingdom
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The U.K. developed a collection of 14 Cloud Security Principles that "include important considerations such as protection of data in transit, supply chain security, identity and authentication, and secure use of cloud services."<ref name="GoogleUKCloud">{{cite web |url=https://cloud.google.com/security/compliance/uk-ncsc |title=UK’s Cloud Security Principles |publisher=Google Cloud |accessdate=21 August 2021}}</ref> This is an example of a national government developing a cloud-specific set of guidance for its public sector.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Information Security Modernization Act of 2014 (FISMA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|United States Government
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Amending the prior FISMA 2002, FISMA 2014 achieves several things, chief among them giving Federal government the ability to better respond to cybersecurity attacks on its departments and agencies. Compliance with FISMA means implementing "recommended information security controls for federal information systems as identified in the NIST SP 800-53."<ref name="PAWhatIs21">{{cite web |url=https://www.paloaltonetworks.com/cyberpedia/difference-between-fisma-and-fedramp |title=What is the Difference between FISMA and FedRAMP? |publisher=PaloAlto Networks |date=2021 |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisa.gov/federal-information-security-modernization-act Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[[General Data Protection Regulation]] (GDPR)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|European Union
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The GDPR is a non-trivial regulatory hurdle with positive intentions, with the goal of strengthening personal data protection in Europe. The regulation "lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe."<ref name="GoogleGDPR">{{cite web |url=https://cloud.google.com/security/gdpr |title=Google Cloud & the General Data Protection Regulation (GDPR) |publisher=Google Cloud |accessdate=21 August 2021}}</ref> Cloud vendors like Google may stipulate in their contracts with European clients how they meet that guidance, as well as offer tools, documentation, and other resources to assist with assessment of the vendor's services.<ref name="GoogleGDPR" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Guidance on Outsourcing to Cloud Service Providers
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Germany's Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|BaFin's Guidance document on cloud service outsourcing "provides specific outsourcing guidance for financial institutions on contractual terms, including information and audit rights, the right to issue instructions, data security / protection, termination and chain outsourcing."<ref name="GoogleBaFinCloud">{{cite web |url=https://cloud.google.com/security/compliance/bafin |title=BaFin Cloud Outsourcing Guidance |publisher=Google Cloud |accessdate=21 August 2021}}</ref> Cloud vendors like Google may stipulate in their contracts with German clients how they meet that guidance.<ref name="GoogleBaFinCloud" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146 Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[[Health Insurance Portability and Accountability Act]] (HIPAA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|United States Government
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The HIPAA Rules "establish important protections for individually identifiable health information ..., including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information."<ref name="HHSGuidance20">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html |title=Guidance on HIPAA & Cloud Computing |author=Office for Civil Rights |work=Health Information Privacy |publisher=U.S. Department of Health & Human Services |date=24 November 2020 |accessdate=21 August 2021}}</ref> HIPAA compliance is so vital for some organizations that U.S. government entities like the U.S. Department of Health & Human Services (HHS) have published their own guidance towards how HIPAA covered entities can best comply when using cloud services.<ref name="HHSGuidance20" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hhs.gov/hipaa/for-professionals/index.html Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Joint Statement: Security in a Cloud Computing Environment
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Financial Institutions Examination Council (FFIEC)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|In this document, the FFIEC—an interagency group of federal and state banking regulators—addresses "the use of cloud computing services and security risk management principles in the financial services sector" and "highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive information from risks that pose potential consumer harm."<ref name="FFIECJoint20">{{cite web |url=https://www.ffiec.gov/press/PDF/FFIEC_Cloud_Computing_Statement.pdf |format=PDF |title=Joint Statement: Security in a Cloud Computing Environment |date=30 April 2020 |accessdate=21 August 2021}}</ref><ref name="RossUS20">{{cite web |url=https://www.regulationtomorrow.com/us/us-bank-regulators-issue-cloud-computing-security-guidance/ |title=US bank regulators issue cloud computing security guidance |author=Ross, S.; Scott, K. |work=Financial Services: Regulation Tomorrow |publisher=Norton Rose Fulbright |date=06 May 2020 |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ffiec.gov/press/PDF/FFIEC_Cloud_Computing_Statement.pdf Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OMB Circular A-130, Managing Information as a Strategic Resource
  | style="background-color:white; padding-left:10px; padding-right:10px;"|United States Government
  | style="background-color:white; padding-left:10px; padding-right:10px;"|This (revised) Obama-era circular "establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services," including cloud services.<ref name="WHOMBA-130_16">{{cite web |url=https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf |format=PDF |title=OMB Circular A-130, Managing Information as a Strategic Resource |publisher=The White House |date=28 July 2016 |accessdate=21 August 2021}}</ref> In addition to FISMA, this circular supports the FedRAMP program and its standardized security requirements.<ref name="FedRAMP" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Personal Data Protection Law (KVKK)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Government of Turkey
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Turkey's KVKK (Kişisel Verileri Koruma Kanunu) "regulates the protection of personal data and outlines the obligations that entities and individuals dealing with personal data must comply with."<ref name="CoosAllYou20">{{cite web |url=https://www.endpointprotector.com/blog/everything-you-need-to-know-about-turkeys-personal-data-protection-law/ |title=All You Need to Know About Turkey’s Personal Data Protection Law (KVKK) |author=Coos, A. |work=Endpoint Protector Blog |date=30 April 2020 |accessdate=21 August 2021}}</ref> It has significant relevancy to cloud computing efforts in the country.<ref name="ErsoyCloud20">{{cite web |url=https://www.kilinclaw.com.tr/en/cloud-computing-technologies-and-its-legal-dimension/ |title=Cloud Computing Technologies and Its Legal Dimension |author=Ersoy, E.C.; Karakaş, M. |publisher=Kılınç Law and Consulting |date=19 June 2020 |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.kvkk.gov.tr/en/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Protective Security Policy Framework
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Australian Government
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The PSPF "assists Australian Government entities to protect their people, information, and assets, both at home and overseas." It contains multiple statements about how cloud computing should be handled.<ref name="AGProtect">{{cite web |url=https://www.protectivesecurity.gov.au/ |title=The Protective Security Policy Framework |publisher=Australian Government |accessdate=21 August 2021}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.protectivesecurity.gov.au/ Link]
|-
|}
 
While Big Tech was as early as 2010 asking the U.S. government to take a more proactive regulatory approach to cloud computing<ref name="AlpernMicro10">{{cite web |url=https://www.industryweek.com/innovation/article/21932894/microsoft-to-congress-time-for-new-cloud-computing-laws |title=Microsoft to Congress: Time For New Cloud Computing Laws |author=Alpern, P. |work=IndustryWeek |date=10 February 2010 |accessdate=21 August 2021}}</ref>, actual direct regulation of cloud computing by the world's governments has been limited.<ref name="LeviteCloud20">{{cite web |url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 |title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues |author=Levite, A.; Kalwani, G. |publisher=Carnegie Endowment for International Peace |date=09 November 2020 |accessdate=21 August 2021}}</ref><ref name="AliTheRole20">{{cite journal |title=The role of government regulations in the adoption of cloud computing: A case study of local government |journal=Computer Law & Security Review |author=Ali, O.; Osmanaj, V. |volume=36 |at=105396 |year=2020 |doi=10.1016/j.clsr.2020.105396}}</ref> This leads to complicated viewpoints about the value of regulation vs. its drawbacks. Yes, careful regulation can help ensure consistent, affordable, and secure access to cloud services and may even encourage organizations to adopt the technology.<ref name="LeviteCloud20" /> However, a headstrong approach to regulations for CSPs, without sector- and industry-specific considerations, may have unintended consequences, e.g., unduly raising compliance costs or forcing insufficient levels of access control on an entity.<ref name="LeviteCloud20" />
 
At least in the U.S., lawmakers and regulators may soon be pressured to increase regulatory approaches to cloud computing. This may be driven by the increasingly concentrated nature of cloud services in a handful of tech giants, though at the same time hampered by the widely varying approaches to addressing cloud-related issues via policy and regulation at the national and international levels. First, the very nature of these cloud services—and the ever increasing criticality they attain—as centralized services ensures the regulatory eye will increasingly be placed upon those cloud vendors. In fact, discussion about and designation of cloud services as critical infrastructure is already occurring in earnest, as they have "become essential to the performance of a growing swath of other sectors that have not heretofore been massively dependent on centralized cloud functionalities, and hence vulnerable to their disruption."<ref name="LeviteCloud20" /><ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref> This may lead to policymakers, regulatory bodies, and legislators being left with little choice but to move forward with more policy and regulation. Second, and consequently, the development of such policy and regulation may not occur in a manner more unified with global perceptions but rather largely based upon localized values, interests, and priorities. The failure here is the lack of recognition of CSPs as being integral to individual, retail, corporate, organizational, and government operations around the globe, i.e. their centralized and concentrated position within a changing computing paradigm. As such, greater effort must be made by policymakers, regulators, and legislatures to find at least a minimum level of "compatibility and reconciliation" with other existing governance mechanisms, while carefully addressing both security of operation and operational robustness in tandem, such that there is greater harmonization globally.<ref name="LeviteCloud20" /> And through government-level support of harmonized controls—as well as a vested interest in promoting the responsible "development, dissemination, and operation of cloud infrastructure"—cloud users will stand a greater chance of reaping the economic benefits of adopting cloud computing.<ref name="LeviteCloud20" />
 
Current and future regulatory action applies to several areas of cloud computing. How a CSP responds to and notifies affected users of a security breach is one concern. Currently the U.S. government doesn't fully address in a unified fashion aspects of cloud security breaches such as protection obligations, reporting time, and required notification parties, nor any compensation mechanism for those affected.<ref name="MitnickNoMore18">{{cite web |url=https://www.accessnow.org/no-more-waiting-its-time-for-a-federal-data-breach-law-in-the-u-s/ |title=No more waiting: It’s time for a federal data breach law in the U.S. |author=Mitnick, D. |work=Access Now Blog |publisher=Access Now |date=10 April 2018 |accessdate=21 August 2021}}</ref> (All U.S. states and most territories do have their own flavor of breach notification legislation<ref name="NCSLSecurity20">{{cite web |url=https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx |title=Security Breach Notification Laws |publisher=National Conference of State Legislatures |date=17 July 2020 |accessdate=21 August 2021}}</ref>, but like cannabis law, this is problematic in the face of a strong divergence with federal law or lack thereof.) The applications and algorithms that drive and collect data from users of cloud-enabled applications may also face regulatory scrutiny or control by a national government, as was seen with both China's and the U.S.'s scrutiny of the TikTok application, its algorithms, and its security.<ref name="LeviteCloud20" /><ref name="BrandomTrump20">{{cite web |url=https://www.theverge.com/2020/9/2/21418496/tiktok-for-you-page-algorithm-deal-us-china-trump-microsoft |title=Trump’s TikTok deal has hit a serious roadblock |author=Brandom, R. |work=The Verge |date=02 September 2020 |accessdate=21 August 2021}}</ref><ref name="CoxOracle21">{{cite web |url=https://arstechnica.com/tech-policy/2021/02/oracles-tiktok-acquisition-reportedly-shelved-indefinitely/ |title=Oracle’s TikTok acquisition reportedly “shelved” indefinitely |author=Cox, K. |work=Ars Technica |date=10 February 2021 |accessdate=21 August 2021}}</ref> Data localization also remains a significant area of cloud computing regulation, not just for security concerns but also industrial policy, economic policy, privacy concerns, and human rights concerns.<ref name="LeviteCloud20" /> Other areas of concern that may see regulation include interoperability and portability, digital preservation (retention) obligations, and cross-border data transfer.
 
And then there's the proverbial "elephant in the room": overall data privacy and protection considerations in the cloud. This is a major concern typically because of statutes—like the California Consumer Privacy Act<ref name="GoogleCCPA" />—that broadly protect a collective of affected individuals and how their cloud data is collected, preserved, organized, stored, and used not only within the governing entity (e.g., state, country, political and economic union) but also as its transferred to and from the governing entity. The previously mentioned data localization and cross-border data transfer issues fall under this heading.<ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=21 August 2021}}</ref> These often prove to be some of the most challenging regulations to develop, as lawmakers and regulators don't always anticipate the rate of change of technology. They're also difficult for CSPs and organizations to comply with, particularly due to the variance in requirements among all governing entities' laws.<ref name="EusticeUnder18" />
 
Other approaches to regulation also affect how cloud computing services are implemented and managed. For example, rather than taking a broad approach towards regulation, addressing everyone providing and/or using cloud services, it's possible that regulators and legislators may take a more focused, sector-based approach. But that comes with its own set of problems, as Maurer and Hinck noted in their 2020 Carnegie Endowment paper<ref name="MaurerCloud20" />:
 
<blockquote>[T]he impact of a cloud security incident usually depends on what type of data or service is affected. Thus, the most suitable potential regulatory requirements with respect to security may differ across sectors that deal with different types of data—from the highly sensitive, fast-moving data common in the financial sector to the more privacy-sensitive personal data used by medical service providers. However, crafting regulation on a sector-by-sector basis would likely create conflicting requirements and incomplete standards.</blockquote>
 
Finally, as a third option, rather than direct regulation of the broad market or even specific sectors, some governments may simply use their considerable weight to influence how CSPs provide their services, influencing future regulation, as Levite and Kalwani note in their 2020 paper for the Carnegie Endowment<ref name="LeviteCloud20" />:
 
<blockquote>Finally, some of the efforts to influence CSP behavior may not come through explicit regulation, but rather through exercise of the government’s market power. Cloud adoption strategies and trends in e-governance have made governments some of the largest and most important clients of CSPs. Governments will likely use their market clout and status as a large and powerful consumer as a source of leverage over industry to set standards of contracting fairness and other provisions that transcend the immediate cloud service contracts they enter. While formally these provisions will only apply to government contracts, they could over time cross over to public clouds as well, or at least help set precedents that drive regulatory attention and inform industry standards. Yet over the longer run, government privatization of many services might actually weaken their leverage, given lock-in issues. How the balance between the two parties ultimately will play out remains to be seen.</blockquote>
 
Whatever direction regulators and legislators take, it ideally will be done with thorough consideration of how to implement regulation, as well as the potential effects regulation will have on various markets.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 22:52, 3 February 2022

Numerous organizations have taken up the mantle in developing and disseminating cloud compliance standards, guidelines, and recommendations since the late 2000s, some independently (e.g., the Storage Networking Industry Association) and others by government mandate (e.g., National Institute of Standards and Technology). Some organizations have tailored their content to a specific industry (e.g., PCI Security Standards Council and the financial industry), while others have focused on a sector of business (e.g., FedRAMP and the U.S. Federal government). As the development of these standards, guidelines, and recommendations has continued, the groundwork has been created for future updates. NIST's early work with its SP 500-293 NIST Cloud Computing Technology Roadmap, Volume I and II and SP 500-299 NIST Cloud Computing Security Reference Architecture (Figure 3) have gone on to further define a modern approach to categorizing, evaluating, comparing, and selecting cloud services.[1] And those documents were influenced by even earlier work by the Cloud Security Alliance's Enterprise Architecture efforts.[2]

The work to improve and expand upon existing standards continues today, even as new service models for cloud computing emerge. Examples of the prior mentioned and other organizations contributing to these efforts are shown in Table 3.

Table 3. Organizations that have developed and are developing cloud compliance standards, guidelines, recommendations, and frameworks
Organization Description Link to standards, etc.
Crown Commercial Services and G-Cloud Though not a standards organization, the U.K. Crown Commercial Service's (CSS's) G-Cloud program and framework allows companies considering selling cloud-based services to the U.K. government to make their services available "through a front-end catalogue called the Digital Marketplace." The framework agreements place specific requirements on the various services being offered by the provider, and in return, the provider can bid on government opportunities without going through the full procurement process.[3] G-Cloud standards, etc.
DMTF Formerly known as the Distributed Management Task Force, DMTF "creates open manageability standards spanning diverse emerging and traditional IT infrastructures."[4] This includes cloud standards, virtualization standards, networking standards, and more. DMTF standards, etc.
European Telecommunications Standards Institute ETSI "supports the timely development, ratification and testing of globally applicable standards" for information and communications technology (ICT) hardware, software, and services.[5] ETSI standards, etc.
General Services Administration and FedRAMP Though not a standards organization, the U.S. General Services Administration's (GSA's) FedRAMP program "provides a standardized approach to security authorizations for cloud service offerings" for the U.S. Federal government.[6] FedRAMP "standardizes security requirements for the authorization and ongoing cybersecurity of cloud services" as authorized by a number of regulations and policies.[7] FedRAMP standards, etc.
IEEE Standards Association IEEE's Standards Association, which attempts "to facilitate standards development and standards related collaboration," has a Cloud Computing Initiative that has developed several working drafts related to cloud computing.[8] IEEE SA standards, etc.
International Organization for Standardization (ISO) The ISO is a primary global standards organization that has been developing a wide variety of standards for decades. Numerous cloud-computing standards have been published under International Classification for Standards (ICS) code 35.210.[9] ISO standards, etc.
International Telecommunication Union (ITU) The ITU is the United Nation's specialized agency for information communication technologies (ICTs). Among their activities, the agency develops technical standards and facilitates international connectivity in communication networks.[10] Many recommendation documents have been developed through its Telecommunication Standardization Sector (ITU-T), SG13 Study Group, including cloud computing recommendations (Y Series). ITU-T standards, etc.
National Institute of Standards and Technology (NIST) NIST is a U.S. Department of Commerce institute which focuses on scientific measurement and standardization. They have developed a numbers roadmaps, guidelines, and definitions through its SAJACC[11] and NCCP[12] initiatives. NIST standards, etc.
OMG Cloud Working Group Previously known as the Cloud Standards Customer Council (CSCC), OMG's Cloud Working Group (CWG) "publishes vendor-neutral guidance on important considerations for cloud computing adoption, highlighting standards, opportunities for standardization, cloud customer requirements, and best practices to foster an ecosystem of open, standards-based cloud computing technologies."[13] CWG standards, etc.
Open Grid Forum (OGF) The OGF is "an open global community committed to driving the rapid evolution and adoption of modern advanced applied distributed computing, including cloud, grid and associated storage, networking and workflow methods."[14] OGF standards, etc.
Organization for the Advancement of Structured Information Standards (OASIS) OASIS Open is a standards body that "offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement."[15] OASIS Open standards, etc.
PCI Security Standards Council (PCI SSC) PCI SSC "is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide."[16] PCI SSC Open standards, etc.
Storage Networking Industry Association (SNIA) SNIA develops and promotes "vendor-neutral architectures, standards, and educational services that facilitate the efficient management, movement, and security of information,"[17] including the Cloud Data Management Interface (CDMI) standard.[18] SNIA standards, etc.
The Open Group This organization attempts "to capture, clarify, and integrate current and emerging requirements, establish standards and policies, and share best practices."[19] Open Group standards, etc.
TM Forum This global alliance attempts "to collaboratively solve complex industry-wide challenges, deploy new services and create technology breakthroughs to accelerate change."[20] As a result of this collaboration, several technical documents and guides related to cloud computing have been developed. TM Forum standards, etc.

However, organizational standards, guidelines, and recommendations alone do not influence how cloud computing services can and should be implemented and operated. Regulatory bodies, legislative bodies, and government agencies also directly or indirectly have an impact on cloud service operations. In some cases, the law, regulation, or guidance coming from such bodies may not even mention "cloud computing," yet because they mandate how specific data and information can be managed, used, and distributed, they ultimately influence what a cloud service provider (CSP) does and how they do it. This can be observed by more than a few of the examples in Table 4. The California Consumer Privacy Act, for example, makes no mention of the word "cloud," but CSPs and cloud users alike must consider aspects of the regulation, e.g., what can and cannot be done with a consumer's information based on location of the stored information.[21]

Table 4. Examples of some common regulations, recommendations, and guidance that shape the proper use of cloud-computing platforms
Regulation, recommendation, or guidance Creator Description Link
California Consumer Privacy Act (CCPA) The State of California The CCPA "provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the 'sale' of their personal information."[22] Cloud solutions such as Google Cloud attempt to help users meet CCPA obligations, as well as meet their own commitments.[22] Link
Cloud Computing Regulatory Framework (CCRF) Kingdom of Saudi Arabia The KSA's CCRF "is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses."[23] It is one of only a few existing cloud-specific regulatory frameworks created by a government.[23] Link
Cloud Security Principles Government of the United Kingdom The U.K. developed a collection of 14 Cloud Security Principles that "include important considerations such as protection of data in transit, supply chain security, identity and authentication, and secure use of cloud services."[24] This is an example of a national government developing a cloud-specific set of guidance for its public sector. Link
Federal Information Security Modernization Act of 2014 (FISMA) United States Government Amending the prior FISMA 2002, FISMA 2014 achieves several things, chief among them giving Federal government the ability to better respond to cybersecurity attacks on its departments and agencies. Compliance with FISMA means implementing "recommended information security controls for federal information systems as identified in the NIST SP 800-53."[25] Link
General Data Protection Regulation (GDPR) European Union The GDPR is a non-trivial regulatory hurdle with positive intentions, with the goal of strengthening personal data protection in Europe. The regulation "lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe."[26] Cloud vendors like Google may stipulate in their contracts with European clients how they meet that guidance, as well as offer tools, documentation, and other resources to assist with assessment of the vendor's services.[26] Link
Guidance on Outsourcing to Cloud Service Providers Germany's Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) BaFin's Guidance document on cloud service outsourcing "provides specific outsourcing guidance for financial institutions on contractual terms, including information and audit rights, the right to issue instructions, data security / protection, termination and chain outsourcing."[27] Cloud vendors like Google may stipulate in their contracts with German clients how they meet that guidance.[27] Link
Health Insurance Portability and Accountability Act (HIPAA) United States Government The HIPAA Rules "establish important protections for individually identifiable health information ..., including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information."[28] HIPAA compliance is so vital for some organizations that U.S. government entities like the U.S. Department of Health & Human Services (HHS) have published their own guidance towards how HIPAA covered entities can best comply when using cloud services.[28] Link
Joint Statement: Security in a Cloud Computing Environment Federal Financial Institutions Examination Council (FFIEC) In this document, the FFIEC—an interagency group of federal and state banking regulators—addresses "the use of cloud computing services and security risk management principles in the financial services sector" and "highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive information from risks that pose potential consumer harm."[29][30] Link
OMB Circular A-130, Managing Information as a Strategic Resource United States Government This (revised) Obama-era circular "establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services," including cloud services.[31] In addition to FISMA, this circular supports the FedRAMP program and its standardized security requirements.[6] Link
Personal Data Protection Law (KVKK) Government of Turkey Turkey's KVKK (Kişisel Verileri Koruma Kanunu) "regulates the protection of personal data and outlines the obligations that entities and individuals dealing with personal data must comply with."[32] It has significant relevancy to cloud computing efforts in the country.[33] Link
Protective Security Policy Framework Australian Government The PSPF "assists Australian Government entities to protect their people, information, and assets, both at home and overseas." It contains multiple statements about how cloud computing should be handled.[34] Link

While Big Tech was as early as 2010 asking the U.S. government to take a more proactive regulatory approach to cloud computing[35], actual direct regulation of cloud computing by the world's governments has been limited.[36][37] This leads to complicated viewpoints about the value of regulation vs. its drawbacks. Yes, careful regulation can help ensure consistent, affordable, and secure access to cloud services and may even encourage organizations to adopt the technology.[36] However, a headstrong approach to regulations for CSPs, without sector- and industry-specific considerations, may have unintended consequences, e.g., unduly raising compliance costs or forcing insufficient levels of access control on an entity.[36]

At least in the U.S., lawmakers and regulators may soon be pressured to increase regulatory approaches to cloud computing. This may be driven by the increasingly concentrated nature of cloud services in a handful of tech giants, though at the same time hampered by the widely varying approaches to addressing cloud-related issues via policy and regulation at the national and international levels. First, the very nature of these cloud services—and the ever increasing criticality they attain—as centralized services ensures the regulatory eye will increasingly be placed upon those cloud vendors. In fact, discussion about and designation of cloud services as critical infrastructure is already occurring in earnest, as they have "become essential to the performance of a growing swath of other sectors that have not heretofore been massively dependent on centralized cloud functionalities, and hence vulnerable to their disruption."[36][38] This may lead to policymakers, regulatory bodies, and legislators being left with little choice but to move forward with more policy and regulation. Second, and consequently, the development of such policy and regulation may not occur in a manner more unified with global perceptions but rather largely based upon localized values, interests, and priorities. The failure here is the lack of recognition of CSPs as being integral to individual, retail, corporate, organizational, and government operations around the globe, i.e. their centralized and concentrated position within a changing computing paradigm. As such, greater effort must be made by policymakers, regulators, and legislatures to find at least a minimum level of "compatibility and reconciliation" with other existing governance mechanisms, while carefully addressing both security of operation and operational robustness in tandem, such that there is greater harmonization globally.[36] And through government-level support of harmonized controls—as well as a vested interest in promoting the responsible "development, dissemination, and operation of cloud infrastructure"—cloud users will stand a greater chance of reaping the economic benefits of adopting cloud computing.[36]

Current and future regulatory action applies to several areas of cloud computing. How a CSP responds to and notifies affected users of a security breach is one concern. Currently the U.S. government doesn't fully address in a unified fashion aspects of cloud security breaches such as protection obligations, reporting time, and required notification parties, nor any compensation mechanism for those affected.[39] (All U.S. states and most territories do have their own flavor of breach notification legislation[40], but like cannabis law, this is problematic in the face of a strong divergence with federal law or lack thereof.) The applications and algorithms that drive and collect data from users of cloud-enabled applications may also face regulatory scrutiny or control by a national government, as was seen with both China's and the U.S.'s scrutiny of the TikTok application, its algorithms, and its security.[36][41][42] Data localization also remains a significant area of cloud computing regulation, not just for security concerns but also industrial policy, economic policy, privacy concerns, and human rights concerns.[36] Other areas of concern that may see regulation include interoperability and portability, digital preservation (retention) obligations, and cross-border data transfer.

And then there's the proverbial "elephant in the room": overall data privacy and protection considerations in the cloud. This is a major concern typically because of statutes—like the California Consumer Privacy Act[22]—that broadly protect a collective of affected individuals and how their cloud data is collected, preserved, organized, stored, and used not only within the governing entity (e.g., state, country, political and economic union) but also as its transferred to and from the governing entity. The previously mentioned data localization and cross-border data transfer issues fall under this heading.[43] These often prove to be some of the most challenging regulations to develop, as lawmakers and regulators don't always anticipate the rate of change of technology. They're also difficult for CSPs and organizations to comply with, particularly due to the variance in requirements among all governing entities' laws.[43]

Other approaches to regulation also affect how cloud computing services are implemented and managed. For example, rather than taking a broad approach towards regulation, addressing everyone providing and/or using cloud services, it's possible that regulators and legislators may take a more focused, sector-based approach. But that comes with its own set of problems, as Maurer and Hinck noted in their 2020 Carnegie Endowment paper[38]:

[T]he impact of a cloud security incident usually depends on what type of data or service is affected. Thus, the most suitable potential regulatory requirements with respect to security may differ across sectors that deal with different types of data—from the highly sensitive, fast-moving data common in the financial sector to the more privacy-sensitive personal data used by medical service providers. However, crafting regulation on a sector-by-sector basis would likely create conflicting requirements and incomplete standards.

Finally, as a third option, rather than direct regulation of the broad market or even specific sectors, some governments may simply use their considerable weight to influence how CSPs provide their services, influencing future regulation, as Levite and Kalwani note in their 2020 paper for the Carnegie Endowment[36]:

Finally, some of the efforts to influence CSP behavior may not come through explicit regulation, but rather through exercise of the government’s market power. Cloud adoption strategies and trends in e-governance have made governments some of the largest and most important clients of CSPs. Governments will likely use their market clout and status as a large and powerful consumer as a source of leverage over industry to set standards of contracting fairness and other provisions that transcend the immediate cloud service contracts they enter. While formally these provisions will only apply to government contracts, they could over time cross over to public clouds as well, or at least help set precedents that drive regulatory attention and inform industry standards. Yet over the longer run, government privatization of many services might actually weaken their leverage, given lock-in issues. How the balance between the two parties ultimately will play out remains to be seen.

Whatever direction regulators and legislators take, it ideally will be done with thorough consideration of how to implement regulation, as well as the potential effects regulation will have on various markets.

References

  1. Simmon, E.D. (23 February 2018). "Evaluation of Cloud Computing Services Based on NIST SP 800-145". NIST. https://www.nist.gov/publications/evaluation-cloud-computing-services-based-nist-sp-800-145. Retrieved 21 August 2021. 
  2. "CSA Enterprise Architecture Reference Guide v2". Cloud Security Alliance. 2020. https://cloudsecurityalliance.org/artifacts/enterprise-architecture-reference-guide-v2/. Retrieved 21 August 2021. 
  3. "Ultimate Guide to G-Cloud". AdviceCloud. https://advice-cloud.co.uk/ultimate-guide-gcloud/. Retrieved 21 August 2021. 
  4. "About DMTF". DMTF. https://www.dmtf.org/about. Retrieved 21 August 2021. 
  5. "About ETSI". European Telecommunications Standards Institute. https://www.etsi.org/about. Retrieved 21 August 2021. 
  6. 6.0 6.1 "FedRAMP". General Services Administration. https://www.fedramp.gov/. Retrieved 21 August 2021. 
  7. "Program Basics". General Services Administration. https://www.fedramp.gov/program-basics/. Retrieved 21 August 2021. 
  8. IEEE Cloud Computing Initiative. "Standards in Cloud Computing". IEEE Standards Association. https://cloudcomputing.ieee.org/standards. Retrieved 21 August 2021. 
  9. "ICS > 35: 35.210 Cloud Computing". International Organization for Standardization. https://www.iso.org/ics/35.210/x/. Retrieved 21 August 2021. 
  10. "About International Telecommunication Union (ITU)". International Telecommunication Union. https://www.itu.int/en/about/Pages/default.aspx. Retrieved 21 August 2021. 
  11. "Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)". National Institute of Standards and Technology. 3 June 2018. https://www.nist.gov/itl/standards-acceleration-jumpstart-adoption-cloud-computing-sajacc. Retrieved 21 August 2021. 
  12. "NIST Cloud Computing Program - NCCP". National Institute of Standards and Technology. 9 July 2019. https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp. Retrieved 21 August 2021. 
  13. "Cloud Working Group". Object Management Group. https://www.omg.org/cloud/. Retrieved 21 August 2021. 
  14. "Open Grid Forum". Open Grid Forum. https://www.ogf.org/ogf/doku.php. Retrieved 21 August 2021. 
  15. "About Us". OASIS Open. https://www.oasis-open.org/org/. Retrieved 21 August 2021. 
  16. "About Us". PCI Security Standards Council. https://www.pcisecuritystandards.org/about_us/. Retrieved 21 August 2021. 
  17. "Vision and Mission". Storage Networking Industry Association. https://www.snia.org/about/vision-mission. Retrieved 21 August 2021. 
  18. "Standards Portfolio". Storage Networking Industry Association. https://www.snia.org/tech_activities/standards/curr_standards. Retrieved 21 August 2021. 
  19. "The Open Group". The Open Group. https://www.opengroup.org/. Retrieved 21 August 2021. 
  20. "About Us". TM Forum. https://www.tmforum.org/about-tm-forum/. Retrieved 21 August 2021. 
  21. "TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100"]. California Legislative Information. Legislative Counsel Bureau. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5. Retrieved 21 August 2021. 
  22. 22.0 22.1 22.2 "California Consumer Privacy Act (CCPA)". Google Cloud. https://cloud.google.com/security/compliance/ccpa. Retrieved 21 August 2021. 
  23. 23.0 23.1 Guseyva, V. (18 September 2020). "Data residency laws by country: An overview". InCountry. https://incountry.com/blog/data-residency-laws-by-country-overview/. Retrieved 21 August 2021. 
  24. "UK’s Cloud Security Principles". Google Cloud. https://cloud.google.com/security/compliance/uk-ncsc. Retrieved 21 August 2021. 
  25. "What is the Difference between FISMA and FedRAMP?". PaloAlto Networks. 2021. https://www.paloaltonetworks.com/cyberpedia/difference-between-fisma-and-fedramp. Retrieved 21 August 2021. 
  26. 26.0 26.1 "Google Cloud & the General Data Protection Regulation (GDPR)". Google Cloud. https://cloud.google.com/security/gdpr. Retrieved 21 August 2021. 
  27. 27.0 27.1 "BaFin Cloud Outsourcing Guidance". Google Cloud. https://cloud.google.com/security/compliance/bafin. Retrieved 21 August 2021. 
  28. 28.0 28.1 Office for Civil Rights (24 November 2020). "Guidance on HIPAA & Cloud Computing". Health Information Privacy. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html. Retrieved 21 August 2021. 
  29. "Joint Statement: Security in a Cloud Computing Environment" (PDF). 30 April 2020. https://www.ffiec.gov/press/PDF/FFIEC_Cloud_Computing_Statement.pdf. Retrieved 21 August 2021. 
  30. Ross, S.; Scott, K. (6 May 2020). "US bank regulators issue cloud computing security guidance". Financial Services: Regulation Tomorrow. Norton Rose Fulbright. https://www.regulationtomorrow.com/us/us-bank-regulators-issue-cloud-computing-security-guidance/. Retrieved 21 August 2021. 
  31. "OMB Circular A-130, Managing Information as a Strategic Resource" (PDF). The White House. 28 July 2016. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf. Retrieved 21 August 2021. 
  32. Coos, A. (30 April 2020). "All You Need to Know About Turkey’s Personal Data Protection Law (KVKK)". Endpoint Protector Blog. https://www.endpointprotector.com/blog/everything-you-need-to-know-about-turkeys-personal-data-protection-law/. Retrieved 21 August 2021. 
  33. Ersoy, E.C.; Karakaş, M. (19 June 2020). "Cloud Computing Technologies and Its Legal Dimension". Kılınç Law and Consulting. https://www.kilinclaw.com.tr/en/cloud-computing-technologies-and-its-legal-dimension/. Retrieved 21 August 2021. 
  34. "The Protective Security Policy Framework". Australian Government. https://www.protectivesecurity.gov.au/. Retrieved 21 August 2021. 
  35. Alpern, P. (10 February 2010). "Microsoft to Congress: Time For New Cloud Computing Laws". IndustryWeek. https://www.industryweek.com/innovation/article/21932894/microsoft-to-congress-time-for-new-cloud-computing-laws. Retrieved 21 August 2021. 
  36. 36.0 36.1 36.2 36.3 36.4 36.5 36.6 36.7 36.8 Levite, A.; Kalwani, G. (9 November 2020). "Cloud Governance Challenges: A Survey of Policy and Regulatory Issues". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124. Retrieved 21 August 2021. 
  37. Ali, O.; Osmanaj, V. (2020). "The role of government regulations in the adoption of cloud computing: A case study of local government". Computer Law & Security Review 36: 105396. doi:10.1016/j.clsr.2020.105396. 
  38. 38.0 38.1 Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597. Retrieved 21 August 2021. 
  39. Mitnick, D. (10 April 2018). "No more waiting: It’s time for a federal data breach law in the U.S.". Access Now Blog. Access Now. https://www.accessnow.org/no-more-waiting-its-time-for-a-federal-data-breach-law-in-the-u-s/. Retrieved 21 August 2021. 
  40. "Security Breach Notification Laws". National Conference of State Legislatures. 17 July 2020. https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Retrieved 21 August 2021. 
  41. Brandom, R. (2 September 2020). "Trump’s TikTok deal has hit a serious roadblock". The Verge. https://www.theverge.com/2020/9/2/21418496/tiktok-for-you-page-algorithm-deal-us-china-trump-microsoft. Retrieved 21 August 2021. 
  42. Cox, K. (10 February 2021). "Oracle’s TikTok acquisition reportedly “shelved” indefinitely". Ars Technica. https://arstechnica.com/tech-policy/2021/02/oracles-tiktok-acquisition-reportedly-shelved-indefinitely/. Retrieved 21 August 2021. 
  43. 43.0 43.1 Eustice, J.C. (2018). "Understand the intersection between data privacy laws and cloud computing". Legal Technology, Products, and Services. Thomson Reuters. https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing. Retrieved 21 August 2021.