on 22-Feb-2017 03:00
The government and cloud security's relationship is surprisingly hands off. Current regulations already extend their umbrellas over our data in flight and rest regardless who's IaaS/SaaS you're using. For us traditional enterprise administrators, the regulations are established and and we follow them to because we're all perfect and deserve raises. But when it comes to "the cloud" we've introduced developers and application admins releasing services to the general public with great hates; sometimes without the checks and balances needed for compliance. The results are mixed. Increasingly popular scan-all-the-things method of finding vulnerable systems are weeding out quite a few unprotected cloud-connected data sets. Even the smallest vendor needs to validate their compliance requirements and implement them at the same pace they're implementing publicly available applications.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) completed enforcement of security policies on personal health care information (PHI) in 2006. HIPPA includes polices related from control and auditing to intrusion prevention and alerting, data validation, authentication practices, and risk analysis and remediation plans (and a host of other things we admins don't care as much about). We know we're getting compliance wrong because as of January 31st of 2017, the Office of Civil Rights has received since 2003 over 148,292 complaints of violation (complaint != violation). 2017 will see more and more companies deploying cloud services that will start to gray the area between basic PII and PHI. Think Strava recording your epic bike ride or your Garmin tracking your last run... all store data relevant to you and how it relates to your physical condition. What's more interesting to investigate is what are your rights to your last bike ride's information? Can it be sold with only basic de-identification? The boundaries between PHI and PII are blurring from our desires to connect our selves so expect a lot of angry people when an insurance provider is found denying a claim based off "acquired" Fitbit data.
Thanks ENRON (and Tyco/WorldCom) for getting the Sarbanes-Oxley (SOX) Act of 2020 thrust onto all publicly traded companies. SOX regulates financial practices and corporate governance divided into 11 titles most of which are related to enforcing basic ethics we apparently take for granted. Section 802 is a whole different InfoSec ball game regulating data retention, classification, and records keeping to ensure the shredder doesn't get used too much. And the cloud has made complying with 802's requirements much. Data governance tools, DLP, and enhanced record keeping tools are being introduced into all of our favorite cloud apps from Office 365 to Slack. It's assumed SOX will play a requirement for many cloud applications so the needed technologies should exist out of the gate.
The Federal Information Processing Standards (FIPS) standardizes government use in computer systems by non-military agencies and contractors. Most people are familiar with FIPS 140-2: Security Requirements for Cryptographic Modules because it's so cool and interesting. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems will be more prevalent as federal providers are encouraged/forced to use authorized cloud resources to migrate off existing internal government IT disasters and deprecating systems. The massive failure of the Office of Personnel Management and the years-blame game still underway is making private could resources more attractive to existing government entities. FIPS 200 will play a vital role for those Iaas/Saas providers to ensure they can receive those federal dollars. It's going to happen, it's already happening; maybe we can stop being embarassed by the federal fire hose of data breaches.
The Family Educational Rights and Privacy Act (FERPA) is not well know to us outside of educational service branches but your child's data is just as important as your PHI information. Specifically targeted at protecting student records, FERPA puts the students data into the governing parent/guardians control and approval. However, the infrastructure responsible for data handling are sometimes the same systems Ferris Bueller hacked into and changed his absentee violations. Like FIPS, educational providers are migrating to the cloud in lieu of massive IT budget shortfalls to upgrading existing infrastructure. Cloud providers are few and far between to slap on a FERPA compliance sticker. Given the coverage provided by other regulations, there shouldn't be too much adjusting for the cloud providers new to the educational market.
You want to do business with any European Union corporation? You want to build an office in any of those countries? Unless you want to spend the next 100 years working with different data privacy laws enacted by disparate governments, join the EU-US Privacy Shield program. When an org joins the EUUSPS they'll self-certify with Department of Commerce and commit to the existing and future framework requirements. This has massive impact to the larger providers and services living in those geo-located clouds. You essentially become an international data steward who agrees to abide by a larger protection clause than one defined for U.S citizens. It's a good thing. That's what they tell me.
The Directive on security of network and information systems (EU NIS Directive) was enacted July 6th, 2016 to provide a minimum compliance for data security against cyber-bad things for any country operating in or applying for European Union membership. This was to create a strong "weakest link" for countries with poor infrastructure policies and practices from being penetrated by nation states close to those countries. This directive was created in response to growing shady nation state cyber practices, worrying existing western block EU members. 2017 will test the strength of these policies and their violation penalties. None of this should be of any concern to existing cloud providers as they're operating in developed InfoSec countries. For the increasingly talented developer pool in the eastern EU, this still may be new and a potential stumbling block. Similar to new developers in the U.S. screwing up their PCI-DSS compliance, language barriers and InfoSec may be stumbling blocks exposing private EU citizen data.
This is just a summary of some of the regulations that will see more-than-normal impact to the next generation of IaaS/Saas providers and their clients in the coming months. It's apparent from the too-numerous to name breaches, that our data isn't secure and the more we utilize the cloud in our personal lives, the more we're willing to expose. For enterprises though, the alarm is not as needed as we're already seasoned to regulations and how to protect our data. Balancing the agile world of DevOps does threaten stable security practices but your InfoSec team should make you well aware before the fed comes-a-knockin.