Compliance Considerations for Cloud Services

As organizations continue to make the switch to the cloud, they need to take into account the compliance impact of running sensitive workloads in the cloud.  This blog post is intended to help organizations take into account relevant compliance considerations in their strategy for cloud service adoption.

Seeking the Benefits of the Cloud

Organizations continue to migrate business-critical applications and workloads to the cloud. The benefits are compelling: leveraging the cloud lets organizations focus on their core mission in a cost-effective and flexible manner. In the traditional on-premises world, organizations need to make significant capital investments, by operating data centers with hardware they’ve purchased, all supported by a potentially large technical staff. In this on-premises realm, new business initiatives or business growth are often hindered due to the need for additional investment in IT infrastructure and the difficulty to recruit and retain technical staff. Under the cloud model, the cloud service provider buys the hardware, pays for the data center, hires technical staff and manages the cloud service. Cloud users gain great business flexibility, paying only for the resources they need and consume. Under the cloud model, organizations still “own” their data, while leveraging the expertise, economy of scale, technical flexibility and scalability offered by the cloud services provider.

Understanding Compliance Objectives

Moving to the cloud implies not only moving data to cloud services, but also often requires adapting existing business processes.  Organizations need not only assess the compliance implications of allowing data to be hosted by a third-party (the cloud provider), but also determine the suitability of existing policies and procedures while operating in the cloud (for example, organizations need to have proper procedures for the onboarding of their cloud service users).

It is important to keep in mind that compliance objectives may derive from internal governance objectives such as directives from executive management or the legal department, commitments made to customers, as well as from external sources such regulatory and industry requirements whose applicability depends on several factors (organization location, customer location, industry, and type of data processed). Further, a frequently changing regulatory landscape only adds to the complexity.

Organizations must always consider how to incorporate their compliance objectives into their technology and processes when using any application or system whether they are actively managed by the cloud user or the cloud provider.  Operational practices need to align with relevant objectives, policies and standards, such as:

• Managing access to systems, data and applications
• Educating personnel about security and privacy requirements and practices
• Controlling how data is collected, used, stored, shared and retired

Evaluating Oracle Cloud Services

Before moving production workloads onto Oracle cloud services, Oracle strongly recommends that customers formally analyze their cloud strategy to determine the suitability of operating in the cloud in light of their compliance objectives. Making this determination is solely the responsibility of the customers because the applicability of compliance obligations can only be assessed by the customers, and furthermore, most compliance obligations impact not only technical practices, but also business procedures.

Oracle cloud security policies and practices are described in standard agreements which govern the delivery of cloud services. To find out more about Oracle contracts and policies, customers can consult the Hosting and Delivery Policies, Service Descriptions, and Contracts and Data Processing Agreement available on the Oracle web site.

For a more operational perspective, customers can look into Oracle’s corporate security practices.  The corporate security practices site provides detailed information around popular topics such as: governance/policy, software security assurance, physical security, information and asset classification, access control, data protection, business continuity and incident response.

The Cloud Security Alliance (CSA) has developed the Consensus Assessments Initiative Questionnaire (CAIQ) with the stated objective to deliver “an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.”   Oracle believes that such standard questionnaires can help customers make informed decisions about the suitability of cloud services in compliance contexts. A Consensus Assessment Initiative Questionnaire is comprised of 300 security assessments questions using the set of controls defined in the Cloud Controls Matrix (CCM). Oracle has completed and published a number of CAIQs for a variety of Oracle cloud services at https://www.oracle.com/corporate/security-practices/cloud/.

Leveraging Third Party Assessments of Oracle Cloud Services

Many Oracle cloud services undergo third-party assessments against a variety of common compliance frameworks, including System and Organization Controls (SOC) controls defined by the American Institute of Certified Public Accountants (AICPA), and several information security and data privacy standards defined by the International Organization for Standardization (ISO).

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” In reviewing these third-party attestations, it is important that customers keep in mind that these assessments are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region.  These attestations are published at  https://www.oracle.com/corporate/cloud-compliance/.

Additionally, Oracle provides general information and technical recommendations for the use of its cloud services in the form of “advisories.”  Even if a particular compliance framework is not listed as a current “attestation”, customers can use CAIQs or Oracle’s compliance advisories to understand how common security and privacy controls are implemented for relevant cloud services and determine the suitability of using an Oracle cloud service in a compliance context.

Assessing Organizational Compliance Posture in the Cloud

Oracle recommends that organizations formally assess their compliance objectives in light of their cloud transition.  This at a minimum requires that organizations:

1. Understand what types of data they collect and process and where this data is stored.
2. Identify their compliance objectives from all relevant sources, both internal and external.
3. Define and promote awareness of policies (what to do, what not to do) and standards (how to operate) supporting those objectives.
4. Learn about how standard industry questionnaires such as the Consensus Assessment Initiative Questionnaire can accelerate evaluation of cloud service providers by providing a common lexicon and points of comparison.
5. Understand Oracle’s corporate security practices and commitments for cloud services.
6. Select appropriate cloud services and data hosting locations per their compliance objectives and available Oracle cloud service attestations.
7. Configure their cloud services according to their policies and standards.
8. Maintain their objectives, policies, standards and technical controls to reflect possible changes in compliance objectives.