×

Get our experts advice in handling data security issues on the Cloud.

Click Here


    Compliance and Regulations on Cloud

    Blog Post - Compliance and Regulations on Cloud
    28 Nov 2020

    Cloud Security Compliance Standards – PCI DSS and GDPR

    Read time: 04 minutes 22 seconds

    Customers and Cloud Service Provider (CSP) share the responsibility of security and compliance. Thus, the organization would have the freedom to have architect their security and compliance needs, according to the services they utilize from the CSP and the services they intend to achieve. CSP has the responsibility to provide services securely and to provide physical security of the cloud. If, however, a customer opts for Software-as-a-service, then the CSP provides standard compliance. Still, the organization has to check if it meets its regulations and compliance levels to strive to achieve. All Cloud services (such ad different forms of databases) are not created equal. Policies and procedures should be agreed upon between CSP and client for all security requirements and operations responsibility.

    Let’s dive into particular compliance and regulations maintained within the industry.

    PCI DSS on Cloud

    Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance, which is a requirement for any business.

    Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of CSP’s infrastructure and the client’s usage of that environment.

    PCI DSS Requirement Responsibility assignment for management of controls
    IaaS PaaS SaaS
    Install and maintain a firewall configuration to protect cardholder data Client and CSP Client and CSP CSP
    Do not use vendor-supplied default for system passwords and other security parameters Client and CSP Client and CSP CSP
    Protect stored cardholder data Client and CSP Client and CSP CSP
    Encrypt transmission of cardholder data across an open, public network Client Client and CSP CSP
    Use and regularly update anti-virus software or programs Client Client and CSP CSP
    Develop and maintain secure systems and applications Client and CSP Client and CSP Client and CSP
    Restrict access to cardholder data by business need to know Client and CSP Client and CSP Client and CSP
    Assign a unique ID to each person with computer access Client and CSP Client and CSP Client and CSP
    Restrict physical access to cardholder data CSP CSP CSP
    Track and monitor all access to network resources and cardholder data Client and CSP Client and CSP CSP
    Regularly test security systems and processes Client and CSP Client and CSP CSP
    Maintain a policy that addresses information security for all personnel Client and CSP Client and CSP Client and CSP

    GDPR

    General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.
    GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.
    Critical Requirements of GDPR are:
    1. Lawful, fair, and transparent processing
    2. Limitation of purpose, data, and storage

      Collect only necessary information and discard any personal information after processing is complete

    3. Data subject rights

      A customer can ask what data an organization has on them and the intended use of the data.

    4. Consent

      Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.

    5. Personal data breaches

      Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.

    6. Privacy by Design

      Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes

    7. Data Protection Impact Assessment

      Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.

    8. Data transfers

      Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it

    9. Data Protection Officer

      When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.

    10. Awareness and training

      Organizations must create awareness among employees about crucial GDPR requirements

    To achieve GDPR on the cloud, we need to take these additional steps
    1. Organizations should know the location where the data is stored and processed by CSP
    2. Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
    3. Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
    4. Organizations should only collect necessary data that it would need and should limit the processing of personal data any further.
    5. Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
    6. Organizations should be able to erase data at will from all data sources in CSP.

    Conclusion

    Regulations and Compliances depend on the country organizations operate in. It is essential to research CSP and the regulations and compliance they are following. You can find more information about the CSPs on their respective websites:
    If an organization fails to abide by the set of regulations applicable in the country or region. In that case, they may face fines and may lose the ability to operate in that country.

    Want to learn from PKI Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your Encryption security

    Free Downloads for Azure Assessment