Step-by-step guide to defining policies for cloud compliance

The promises of the cloud include better collaboration, easier off-campus access to information, and reduced IT cost and complexity. But there are trade-offs. When a company’s data resides in the cloud, it gives up some ownership and control of that data.

What’s more, that lack of ownership and control doesn’t change your security team’s mission: to protect all the company’s information assets—no matter where they reside—and ensure compliance.

Compliance in the cloud

Compliance can mean a lot of different things, depending on your business function or what kinds of internal or external regulations directly impact your work. External compliance requirements -- those dictated by governments, organizations, and industries -- primarily focus on privacy. Two examples include:

• Health Insurance Portability and Accountability Act (HIPAA): governs the handling of sensitive patient information
• Payment Card Industry’s PCI DSS standard: governs storage, processing, and handling of credit card information

Internal compliance focuses on protecting valuable organizational data like intellectual property, strategic plans, and business records.

Developing compliance policies

Compliance programs are rooted in managing the interactions of people, data, and critical IP while adhering to federal and state regulations and laws. An increasingly critical component of the business landscape, compliance programs are also challenging to establish and maintain.

Policies form the cornerstone of an organization’s compliance and security program, but developing good policies takes time. The first step to developing compliance policies is to create classifications for data, users, and applications to define interactions. Before classifications can be developed, you must determine the relative value of each asset to the organization. 

Data Classifications – What classifications of data will you allow to be created, manipulated, and stored in the cloud? Who may access data in each classification, and under what circumstances?

1. Establish data classifications that map to organizational impact.
2. Establish data types that map to functional utilization such as sales reports and marketing artifacts.
3. Establish a matrix of classification types and determine eligibility of each element for use in a cloud setting, along with any required safeguards that inform eligibility, e.g., the absence of public file sharing.
4. Determine authorized users of the data and permissible actions, such as access, delete, and storage constraints by time, date, geography, and device.
5. Determine response and remediation to actions inconsistent with policies created.
6. If theft, destruction, or corruption of data in a classification represents risk to maintaining compliance, establish safeguards to evaluate and make a final determination of the risk/reward of that data classification residing in the cloud.

User Classifications – What specific actions can a user perform—such as create, share, and modify—with certain types of data, and under what circumstances?

1. Establish group and user classifications that map to authorized data use.
2. Establish acceptable usage parameters for each user and data matrix element considering action (e.g., create and delete), geography, chronology, and device (including device characteristics).
3. Determine policy exceptions based on organizational needs such as business travel, specific roles, and individuals.
4. Identify user behavior that may indicate either unintentional risky behavior or potentially malicious activity and determine the triggers and responses that correspond to risk levels using an “If-Then” rubric.

Application Classifications – What cloud apps will you allow, and how will you apply data policies to their use?

1. Clearly identify what constitutes a user application, in contrast to a passive website.
2. Establish acceptable application risk metrics based on regulatory requirements, industry certifications, and internal benchmarks. Pay attention to data manipulation capabilities like sharing, auditing, and change control over actions like deletion.
3. Establish acceptable usage parameters for each user application matrix element that considers type of application, geography, chronology, device, and device characteristics.
4. Establish acceptable simultaneous use of applications with additional considerations for corporate and personal accounts.
5. Establish application approval policies for new applications, including the classes of applications that will NOT require approval.
6. Determine response and remediation to actions inconsistent with created policies.

Getting these policies right from the beginning takes time and resources, but it’s a necessary investment. Without them, you risk exposing your critical information and facing the negative consequences of failing a compliance audit. For more information on cloud security and compliance, watch our webcast Mastering Policy Setting and Control in the Cloud.