Compliance - On-premise system vs. Cloud system

What would be the key differences between On-premise system vs. Cloud system when it comes to meeting security compliance requirements?

For on-premise, it is simple. Perform the test. But what if data resides in cloud? I can think of two ways...
1) Obtain audit report and rely on auditor's opinion or,
2) Physically visit data centre and perform the audit.

Anyone has experience in doing compliance work for cloud-based systems? How did you ensure that the security requirements are met?

Find more posts tagged with

Comments

Essendon

Make sure you get your premise and premises right!

Some mobs I've worked with run scripts against systems and compare. Some have a person sit with them and run through the checklists one after the other. Just depends. I've worked with multiple auditors and they run either or both of the above two measures for their audits.

LeBroke

Short version:

1. Make sure your provider (i.e. AWS or Rackspace or whomever) has the certs you require. They will usually have PCI/SOC/ISO/etc reports somewhere on their site, or will provide them when asked. If they don't provide this, they likely don't have the certification you seek and you may have to move providers.
2. Provide their docs to the auditor.
3. This should satisfy their requirements regarding hardware, physical access, redundancy, and other physical-only reqs.

When doing the rest of the audit, it goes more or less the same as for on-premises infra.

* You need to enable a virtualized private network environment (i.e. VPC in AWS) so other customers do not have local network access to your infra.
* You still have your firewall rules (except they might be called security groups or something else), use them
* Change control and processes work the same way as on-prem. I.e. do you have a ticket for a change and is there an audit log of potentially unauthorized changes?
* Access controls in your cloud provider account are now in scope. This includes both UI/API access (i.e. AWS console) as well as what your individual instances can do (AWS IAM instance profiles).

--chris--

Came in to answer, see two excellent answers.

/exit

Clm

First make sure your auditor knows what th cloud is. Second download all the Certs and compliance memos from your cloud service provider Third return to First point. Fourth complete Audit like you would normally do just make sure you can translate requirements that would be normally on prem and into how they are implemented into your cloud

Severine

Compliance for on-premise includes some regulatory controls that most companies require to abide by and to meet these government and industry regulations, it is important that companies remain compliant and their data is in place, mostly if all the data is maintained in-house.

Whereas on the cloud, companies should ensure that the service provider is fulfilling the required regulatory mandates within their specific industry and the data of customers, employees, and partners are secure.