Difference between revisions of "User:Shawndouglas/sandbox/sublevel45"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
In December 2019, [[software as a service]] (SaaS) cannabis software firm THSuite was discovered to have inadvertently left an Amazon Web Services (AWS) S3 bucket unsecured and unencrypted, exposing the fine details of tens of thousands of medical and recreational cannabis users associated with three dispensary clients in the U.S. Given that protected health information (PHI) was included in the exposed data, serious privacy concerns and legal repercussions were raised in the aftermath of this security failure.<ref name="MuncasterData20">{{cite web |url=https://www.infosecurity-magazine.com/news/data-30000-cannabis-users-exposed/ |title=Data on 30,000 Cannabis Users Exposed in Cloud Leak |author=Muncaster, P. |work=Infosecurity |date=23 January 2020 |accessdate=21 August 2021}}</ref><ref name="TrendmicroUnsec20">{{cite web |url=https://www.trendmicro.com/vinfo/dk/security/news/virtualization-and-cloud/unsecured-aws-s3-bucket-found-leaking-data-of-over-30k-cannabis-dispensary-customers |title=Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers |publisher=Trend Micro, Inc |date=27 January 2020 |accessdate=21 August 2021}}</ref> Today, this inadvertent security failure highlights the shared responsibility model (occasionally referred to as the "shared security model"), a security model that clarifies elements of responsibility between the customer and the CSP.
"The public cloud services market has more than doubled since 2016," found International Data Corporation (IDC) in 2020, noting that "the worldwide public cloud services market, including [[infrastructure as a service]] (IaaS), [[platform as a service]] (PaaS), and software as a service (SaaS), grew 26.0% year over year in 2019, with revenues totaling $233.4 billion."<ref name="IDCWorldwide20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prUS46780320 |title=Worldwide Public Cloud Services Market Totaled $233.4 Billion in 2019 with the Top 5 Providers Capturing More Than One Third of the Total, According to IDC |author=International Data Corporation |publisher=International Data Corporation |date=18 August 2020 |accessdate=21 August 2021}}</ref> In November 2020, Gartner predicted global public cloud computing spend would increase more than 18 percent in 2021, with PaaS growth leading the way due to remote workers needing more powerful, scalable infrastructure to complete their work.<ref name="GartnerForecast20">{{cite web |url=https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021 |title=Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021 |publisher=Gartner, Inc |date=17 November 2020 |accessdate=21 August 2021}}</ref> Gartner added that "survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by [[COVID-19]]."<ref name="GartnerForecast20" />


With its August 2010 update to AWS' ''Amazon Web Services: Overview of Security Processes'' documentation, the concept of a "shared responsibility environment" was added. To be sure, the concept of "shared responsibility" appeared before AWS began including it in its cloud security processes, as can be evidenced by 2004 New York State cybersecurity guidance<ref name="NYSCyber04">{{cite web |url=https://www.gc.cuny.edu/CUNY_GC/media/CUNY-Graduate-Center/PDF/Policies/IT/Cyber-Security-Dos-and-Don%E2%80%99ts.pdf?ext=.pdf |format=PDF |title=Cyber Security Dos and Don'ts |publisher=New York State Office of Information Technology and Services |date=12 December 2004 |accessdate=21 August 2021}}</ref> and 2004 Northwestern University IT protocol for data sharing.<ref name="NUProtocol04">{{cite web |url=https://www.it.northwestern.edu/bin/docs/ExchangeSharedResponsibilityData.pdf |format=PDF |title=Protocol for Exchange and Shared Responsibility for Institutional Data |publisher=Northwestern University |date=15 August 2004 |accessdate=21 August 2021}}</ref> However, among cloud providers, Amazon arguably brought the concept fully into the world of cloud computing. In their 2010 documentation, they described AWS's shared responsibility environment as such<ref name="AWSAmazonWeb10">{{cite web |url=http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf |archiveurl=https://web.archive.org/web/20100823123605/http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf |format=PDF |title=Amazon Web Services: Overview of Security Processes |author=Amazon Web Services |publisher=Amazon Web Services |date=August 2010 |archivedate=23 August 2010 |accessdate=21 August 2021}}</ref>:
These statistics highlight the continued transition and investment into the public cloud for organizations, and recent surveys of IT professionals appear to find a matching level of increased confidence in the public cloud.<ref name="PRNNewRes21">{{cite web |url=https://www.prnewswire.com/news-releases/new-research-reveals-it-professionals-growing-confidence-in-public-cloud-despite-security-concerns-301208046.html |title=New research reveals IT professionals' growing confidence in public cloud despite security concerns |author=Barracuda Networks, Inc |work=PR Newswire |publisher=Cision |date=14 January 2021 |accessdate=21 August 2021}}</ref> But as reliance on the public cloud continues to grow, organizations inevitably discover new security and networking challenges, including difficulties keeping services seamlessly available and scalable, and network costs more affordable while limiting complexity upticks<ref name="PRNNewRes21" />, which makes security more difficult.<ref name="BocettaProblem19">{{cite web |url=https://www.networkcomputing.com/network-security/problem-complex-networks-getting-harder-secure |title=Problem: Complex Networks Getting Harder to Secure |author=Bocetta, S. |work=Network Computing |date=09 July 2019 |accessdate=21 August 2021}}</ref>


<blockquote>An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.</blockquote>
As of April 2021, the bulk of public cloud market share is represented by 10 companies: Alibaba, Amazon, DigitalOcean, Google, IBM, Linode, Microsoft, Oracle, OVH, and Tencent. From a security perspective, we have to ask at a minimum four questions about these companies:


This statement has since evolved into a full-blown shared responsibility model that not only AWS includes today as an integral component of security-related agreements with clients, but also a model other public cloud service providers have adopted (see the next subsection for examples). Continuing to use AWS as an example, a clear shared security responsibility model differentiates "security ''of'' the cloud" and "security ''in'' the cloud."<ref name="AWSSharedRespon21">{{cite web |url=https://aws.amazon.com/compliance/shared-responsibility-model/?ref=wellarchitected |title=Shared Responsibility Model |author=Amazon Web Services |publisher=Amazon Web Services |date=2021 |accessdate=21 August 2021}}</ref> According to AWS, security of the cloud states that AWS is responsible for the "hardware, software, networking, and facilities that run AWS Cloud services." Security in the cloud addresses the customer responsibility, based upon the services selected, including client-side data encryption and data integrity authentication, firewall configurations, and platform and application identity and access management. In this way, operating the IT environment is shared in a clearly delineated fashion. Similarly, management, operation, and verification of IT controls are also shared, where the physical and environmental controls are the responsibility of AWS, customer-specific security controls are the responsibility of the customer, and some controls have shared responsibility between both AWS and the customer.<ref name="AWSSharedRespon21" />
* What are their compliance offerings?
* Where is their SOC 2 audit report?
* What is their shared responsibility model?
* What is their architecture framework based upon?


The concept of shared responsibility between a provider and a customer has woven its way into the fabric of most cloud-based services, from SaaS to multicloud. A trusted CSP will make this responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. However, pressure also remains solidly on the organization seeking cloud services—including the organization’s legal counsel—when making decisions about contracting for cloud computing services. This includes understanding aspects of consent, security requirements, reporting requirements, and enforcement mechanisms of any laws and regulations in the organization’s operating governing entity (e.g., state, country, political and economic union), as well as in other external governing entities where related data may inevitably be transferred, stored, and managed.<ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=21 August 2021}}</ref> And, by extension, the organization will need to verify the provider is able to comply with—and provide mechanisms to help the organization comply with—those laws and regulations. This is typically done by examining the CSP's documented compliance certifications, attestations, alignments, and frameworks (see the next subsection for examples). This includes System and Organization Controls (SOC) 1, 2, and 3 reports (which provide independent third-party assurances about the effectiveness of a CSP's security controls)<ref name="MealusTheSOC18">{{cite web |url=https://medium.com/@paulmealus/the-soc-2-report-explained-for-normal-people-50b4626d6c96 |title=The SOC 2 Report Explained for Normal People |author=Mealus, P. |work=Medium |date=19 December 2018 |accessdate=21 August 2021}}</ref>, Federal Risk and Authorization Management Plan (FedRAMP) compliance<ref name="ETSIAbout">{{cite web |url=https://www.etsi.org/about |title=About ETSI |publisher=European Telecommunications Standards Institute |accessdate=21 August 2021}}</ref>, Coalition of Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct compliance<ref name=AWSCISPE">{{cite web |url=https://aws.amazon.com/compliance/cispe/ |title=CISPE |publisher=Amazon Web Services |accessdate=21 August 2021}}</ref>, and more.
In this context, compliance offerings are the documented compliance certifications, attestations, alignments, and frameworks a public CSP boasts as part of an effort maintain security and compliance for their cloud services. Each of the seven public CSPs has a landing page introducing customers to those compliance offerings (Table 5), though some vendors' pages are more clearly organized than others. Each offering then links off to another page, document, or related certificate explaining compliance. In particular, the SOC 2 audit report should be viewed, though most providers require you to be a customer or inquire with their sales department to obtain it. The SOC 2 audit results outline nearly 200 aspects of a CSP's security, as audited by an independent third party, providing the closest look one can get to a CSP's ability to assist with regulatory compliance (more on this in Chapter 4).<ref name="HemmerTrust19">{{cite web |url=https://linfordco.com/blog/trust-services-critieria-principles-soc-2/ |title=Trust Services Criteria (formerly Principles) for SOC 2 in 2019 |author=Hemer, N. |work=Linford & Company IT Audit & Compliance Blog |publisher=Linford and Co. LLP |date=18 December 2019 |accessdate=21 August 2021}}</ref><ref name="TillerIsThe19">{{cite web |url=https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf |format=PDF |title=Is the Cloud a Safe Place for Your Data?: How Life Science Organizations Can Ensure Integrity and Security in a SaaS Environment |author=Tiller, D. |publisher=IDBS |date=2019 |accessdate=21 August 2021}}</ref> As previously discussed, a shared responsibility (or shared security) model is the common approach to clarifying who's responsible for what portions of security, and each CSP has indicated somewhere what that model is. (In the case of Tencent, it's unfortunately buried in a 2019 white paper.) Public CSPs also provide some sort of "architecture framework," though this varies from provider to provider. For example, AWS and Google Cloud provide a framework that allows customers to stably and efficiently deploy in the cloud based on both best practices and the organization's unique requirements. Linode, Oracle, and Tencent don't seem to offer this type of framework for customers but still discuss their overall cloud architecture in a broad manner. See Table 5 for links to these four security research aspects for each public CSP.


The next subsections examine public cloud, hybrid cloud, multicloud, SaaS, and other cloud services in relation to cloud security, providing examples of major CSPs in those arenas.
{|
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="5"|'''Table 5.''' Public cloud providers and their compliance offerings, SOC 2 report, shared responsibility model, and architecture framework
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Compliance offerings
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|SOC 2 report
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Shared responsibility model
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Architecture framework
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Alibaba Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/resources Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/compliance-repository Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/solutions/security Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/architecture/index Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Amazon Web Services
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/programs/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/soc-faqs/ Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/shared-responsibility-model/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|DigitalOcean
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/certification-reports/ Link] (Must email company to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/faq/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.digitalocean.com/products/platform/availability-matrix/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Google Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/offerings Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/compliance-reports-manager Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/anthos/docs/concepts/gke-shared-responsibility Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/architecture/framework Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|IBM Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance/global Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.ibm.com/docs/overview?topic=overview-shared-responsibilities Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/architecture/architectures/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Linode
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/global-infrastructure/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Microsoft Azure
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/compliance/regulatory/offering-home Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_SOC_/_SSAE_16_Reports Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/architecture/framework/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Oracle Cloud Infrastructure
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/cloud-infrastructure-compliance/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_overview.htm#Shared_Security_Model Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/architecture-and-regions/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OVHcloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification/soc Link] (Must be customer/contact sales or legal to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/legal/service-specific-terms Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/about/company/data-centers Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Tencent Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/services/compliance Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://main.qcloudimg.com/raw/ea77661307adc3825990e159d851d406.pdf Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/global-infrastructure Link]
|-
|}
|}
 
Chapter 1 noted that for public cloud services, organizations tied to strong regulatory or security standards ... must thoroughly vet the cloud vendor and its approach to security and compliance, as the provider may not be able to meet regulatory needs. For example, public CSP will allow you to enter into a HIPAA-compliant business associate agreement (BAA) with them, as required by the U.S. Department of Health & Human Services<ref name="HHSGuidance20">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html |title=Guidance on HIPAA & Cloud Computing |author=Office for Civil Rights |work=Health Information Privacy |publisher=U.S. Department of Health & Human Services |date=24 November 2020 |accessdate=21 August 2021}}</ref>, but that does not mean you'd be running in a HIPAA-compliant fashion. If your organization is handling PHI protected by HIPAA, that organization is still responsible for having internal compliance programs and documented processes that support HIPAA, while also using the CSP's services in ways that align with HIPAA.<ref name="MSHealthHIPAA21">{{cite web |url=https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech |title=Health Insurance Portability and Accountability (HIPAA) & HITECH Acts |work=Microsoft Documentation |publisher=Microsoft |date=17 February 2021 |accessdate=21 August 2021}}</ref><ref name="DashNav20">{{cite web |url=https://www.dashsdk.com/hipaa-compliant-cloud/ |title=Navigating HIPAA Compliant Cloud Solutions |publisher=Dash |date=2020 |accessdate=21 August 2021}}</ref> That includes ensuring that the services your organization will utilize are indeed in-scope with HIPAA and other such regulations; not all services offered by a CSP are in-scope to a specific regulation. The BAA should make clear which services are covered for handling PHI and other sensitive or critical information. Additionally, your organization will still need to ensure the correct technical security controls are implemented to ensure compliance.<ref name="DashNav20" /> Remember, you're working under the shared responsibility model.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 19:02, 21 August 2021

"The public cloud services market has more than doubled since 2016," found International Data Corporation (IDC) in 2020, noting that "the worldwide public cloud services market, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), grew 26.0% year over year in 2019, with revenues totaling $233.4 billion."[1] In November 2020, Gartner predicted global public cloud computing spend would increase more than 18 percent in 2021, with PaaS growth leading the way due to remote workers needing more powerful, scalable infrastructure to complete their work.[2] Gartner added that "survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19."[2]

These statistics highlight the continued transition and investment into the public cloud for organizations, and recent surveys of IT professionals appear to find a matching level of increased confidence in the public cloud.[3] But as reliance on the public cloud continues to grow, organizations inevitably discover new security and networking challenges, including difficulties keeping services seamlessly available and scalable, and network costs more affordable while limiting complexity upticks[3], which makes security more difficult.[4]

As of April 2021, the bulk of public cloud market share is represented by 10 companies: Alibaba, Amazon, DigitalOcean, Google, IBM, Linode, Microsoft, Oracle, OVH, and Tencent. From a security perspective, we have to ask at a minimum four questions about these companies:

  • What are their compliance offerings?
  • Where is their SOC 2 audit report?
  • What is their shared responsibility model?
  • What is their architecture framework based upon?

In this context, compliance offerings are the documented compliance certifications, attestations, alignments, and frameworks a public CSP boasts as part of an effort maintain security and compliance for their cloud services. Each of the seven public CSPs has a landing page introducing customers to those compliance offerings (Table 5), though some vendors' pages are more clearly organized than others. Each offering then links off to another page, document, or related certificate explaining compliance. In particular, the SOC 2 audit report should be viewed, though most providers require you to be a customer or inquire with their sales department to obtain it. The SOC 2 audit results outline nearly 200 aspects of a CSP's security, as audited by an independent third party, providing the closest look one can get to a CSP's ability to assist with regulatory compliance (more on this in Chapter 4).[5][6] As previously discussed, a shared responsibility (or shared security) model is the common approach to clarifying who's responsible for what portions of security, and each CSP has indicated somewhere what that model is. (In the case of Tencent, it's unfortunately buried in a 2019 white paper.) Public CSPs also provide some sort of "architecture framework," though this varies from provider to provider. For example, AWS and Google Cloud provide a framework that allows customers to stably and efficiently deploy in the cloud based on both best practices and the organization's unique requirements. Linode, Oracle, and Tencent don't seem to offer this type of framework for customers but still discuss their overall cloud architecture in a broad manner. See Table 5 for links to these four security research aspects for each public CSP.

Table 5. Public cloud providers and their compliance offerings, SOC 2 report, shared responsibility model, and architecture framework
Company and offering Compliance offerings SOC 2 report Shared responsibility model Architecture framework
Alibaba Cloud Link Link (Must be customer/contact sales to access) Link Link
Amazon Web Services Link Link (Must be customer/contact sales to access) Link Link
DigitalOcean Link Link (Must email company to access) Link Link
Google Cloud Link Link Link Link
IBM Cloud Link Link (Must be customer/contact sales to access) Link Link
Linode Link Unknown (Presumably must be customer/contact sales to access) Link Link
Microsoft Azure Link Link (Must be customer/contact sales to access) Link Link
Oracle Cloud Infrastructure Link Unknown (Presumably must be customer/contact sales to access) Link Link
OVHcloud Link Link (Must be customer/contact sales or legal to access) Link Link
Tencent Cloud Link Unknown (Presumably must be customer/contact sales to access) Link Link

Chapter 1 noted that for public cloud services, organizations tied to strong regulatory or security standards ... must thoroughly vet the cloud vendor and its approach to security and compliance, as the provider may not be able to meet regulatory needs. For example, public CSP will allow you to enter into a HIPAA-compliant business associate agreement (BAA) with them, as required by the U.S. Department of Health & Human Services[7], but that does not mean you'd be running in a HIPAA-compliant fashion. If your organization is handling PHI protected by HIPAA, that organization is still responsible for having internal compliance programs and documented processes that support HIPAA, while also using the CSP's services in ways that align with HIPAA.[8][9] That includes ensuring that the services your organization will utilize are indeed in-scope with HIPAA and other such regulations; not all services offered by a CSP are in-scope to a specific regulation. The BAA should make clear which services are covered for handling PHI and other sensitive or critical information. Additionally, your organization will still need to ensure the correct technical security controls are implemented to ensure compliance.[9] Remember, you're working under the shared responsibility model.

References

  1. International Data Corporation (18 August 2020). "Worldwide Public Cloud Services Market Totaled $233.4 Billion in 2019 with the Top 5 Providers Capturing More Than One Third of the Total, According to IDC". International Data Corporation. https://www.idc.com/getdoc.jsp?containerId=prUS46780320. Retrieved 21 August 2021. 
  2. 2.0 2.1 "Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021". Gartner, Inc. 17 November 2020. https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021. Retrieved 21 August 2021. 
  3. 3.0 3.1 Barracuda Networks, Inc (14 January 2021). "New research reveals IT professionals' growing confidence in public cloud despite security concerns". PR Newswire. Cision. https://www.prnewswire.com/news-releases/new-research-reveals-it-professionals-growing-confidence-in-public-cloud-despite-security-concerns-301208046.html. Retrieved 21 August 2021. 
  4. Bocetta, S. (9 July 2019). "Problem: Complex Networks Getting Harder to Secure". Network Computing. https://www.networkcomputing.com/network-security/problem-complex-networks-getting-harder-secure. Retrieved 21 August 2021. 
  5. Hemer, N. (18 December 2019). "Trust Services Criteria (formerly Principles) for SOC 2 in 2019". Linford & Company IT Audit & Compliance Blog. Linford and Co. LLP. https://linfordco.com/blog/trust-services-critieria-principles-soc-2/. Retrieved 21 August 2021. 
  6. Tiller, D. (2019). "Is the Cloud a Safe Place for Your Data?: How Life Science Organizations Can Ensure Integrity and Security in a SaaS Environment" (PDF). IDBS. https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf. Retrieved 21 August 2021. 
  7. Office for Civil Rights (24 November 2020). "Guidance on HIPAA & Cloud Computing". Health Information Privacy. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html. Retrieved 21 August 2021. 
  8. "Health Insurance Portability and Accountability (HIPAA) & HITECH Acts". Microsoft Documentation. Microsoft. 17 February 2021. https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech. Retrieved 21 August 2021. 
  9. 9.0 9.1 "Navigating HIPAA Compliant Cloud Solutions". Dash. 2020. https://www.dashsdk.com/hipaa-compliant-cloud/. Retrieved 21 August 2021.