How Cloud Provider Compliance Affects Your Application Compliance

Cloud is evolving fast and already becoming a significant part of the software ecosystems. With this growth, becoming compliant on standards such as ISO, PCI-DSS, HIPPA, builds confidence for you to trust the cloud in terms of security. But have you ever wondered whether it could help your applications running in the cloud to become compliant as well? This article will help you to understand cloud compliance and how it could potentially benefit your applications to become compliant for international standards. Since compliance is a broader topic, I will be using as an example to demonstrate the details of this topic. PCI-DSS The Meaning of Cloud Provider Compliance If you look at all the leading cloud providers such as AWS and Azure, they maintain compliance with the highest international standards. Being compliant is a way of building trust with its consumers to give a sense of security and the quality of the services they deliver. In terms of the standard, cloud provider undergoes the process of compliance for the underlying infrastructure and the services they provide by the respective governing body. Before moving further, let me briefly explain the PCI-DSS if you haven’t heard about it already. The Payment Card Industry Data Security Standard (PCI-DSS) is a standard to make it safer to use credit cards online payments. Any app compliant with the standard assures that storing and transmitting credit card data happens securely adhering to the industry best practices. If we take PCI-DSS, for instance, both AWS and Azure comply with the highest level of . Having compliance reassures that the cloud platform is compliant in running large scale payment processing workloads. PCI secure software standard But does this mean that your application complies with PCI-DSS by default if it’s running on a cloud platform? Sadly the answer is a big NO!. Therefore, you are also responsible for managing your app compliance with PCI-DSS separately. Does it mean that any cloud provider having compliance for a particular standard is not useful for an application, to comply with the same standard? To answering this, let us look at how the cloud security model works. Cloud Security is a Shared Responsibility If you search about cloud security of any leading cloud provider, you will come across the sentence; it is a shared responsibility. Having shared responsibility means that the cloud provider is fully responsible for the underlying physical infrastructure, logical infrastructure (virtualization) and higher level services (e.g.; API Management, Identity Providers) and the cloud customers need to be responsible for the security of the application logic, how it uses cloud services following the recommended best practices. If we take PCI-DSS for instance if you transfer credit card data without using SSL to your server, or a higher level service like API management in the cloud without configuring SSL you have violated the standard best practices for securely transferring payment information. The cloud provider having PCI-DSS compliance doesn’t help here. Cloud Compliance and App Compliance The shared responsibility model also applies to your app compliance. Having your cloud provider compliant on a standard does help you in the journey of your app getting compliance. If we take PCI-DSS, for instance, you can rely on the cloud providers infrastructure and services to store, process, or transmit cardholder data. Since you need to manage your application’s PCI-DSS compliance certification separately, it will require to carry out additional testing to verify that your environment satisfies all PCS-DSS requirements as a part of the compliance certification process. It is essential to understand your responsibility here. The cloud provider does not directly store, transmit, or process any customer cardholder data (CHD). You are responsible for creating the cardholder data environment (CDE) using cloud infrastructure and services. The advantage here is since the cloud provider is compliant, your Qualified Security Assessor (QSA) can rely on cloud providers Attestation of Compliance (AOC) without further testing. Relying on the cloud provider’s compliance, AOC reduces the overhead for your application to become compliant by sharing some of the responsibilities with the cloud provider. Summary Cloud provider compliance doesn’t mean your application get hold of the same compliance by default. You need to handle your application compliance separately. However, cloud provider compliance will ease your applications journey to become compliant on international standards. Reducing the effort happens since we share some of the responsibilities of the cloud provider, especially when it comes to the infrastructure and the services they provide. You need to make sure you follow the best practices and use the cloud services securely and effectively. Also, it is essential to carefully evaluate which services that your cloud provider offers to comply with the standard your applications also need to meet. Some of this information you can find through your cloud providers compliance page. For example, refer and for more details. AWS Compliance Azure Compliance Benefits of cloud compliance are more relevant when you use higher level cloud services where some of them might not fully comply with the standard jeopardizing your applications journey towards compliance.