Compliance in the Cloud: How Frameworks Work

Need to comply with a regulation or other mandate that covers your business? There’s a framework for that. In this installment of our series on compliance, we’ll specifically explore frameworks for regulations where backup plays a critical role in achieving compliance. As we talked about in our previous installment, you may not see a specific reference to backup in a given regulation, but if you see references to retaining information and keeping it available, you can be pretty sure that backup is going to be involved – and that it’s going to turn up in the compliance frameworks that relate to that regulation. 

While it would be an exaggeration to say there are as many compliance frameworks as there are regulations with which to comply, it’s certainly true that a number of frameworks exist to address different regulatory requirements. Focusing on those that include backup as a means of achieving compliance, we offer this information to help you become more familiar with:

  • Backup-related regulatory expectations on your organization for SaaS applications like Google Workspace and Salesforce
  • Standards and controls that frameworks offer to meet those expectations
  • Characteristics to look for in cloud-to-cloud backup solutions

We’ll start with two general frameworks; each of these addresses backup as it might apply to any company for whom information availability is a relevant regulatory issue.

Cloud Security Alliance’s Cloud Controls Matrix

As more companies move business applications and data off-premises, concerns have grown about ensuring compliance in the cloud. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides a framework of controls aligned to key security areas:

  • Control ID BCR-12 calls for backup and recovery measures to be incorporated as part of business continuity planning and tested accordingly for effectiveness.
  • Control ID GRM-12 speaks to establishing acceptable levels of risk in accordance with reasonable resolution time frames.
  • Control ID IPY-02 requires that data be available to customers and provided to them on request in an industry-standard format.

While only one of these refers directly to backup and recovery, the other two suggest that an appropriate backup solution will address both recovery time objectives (RTOs) and the ability to make data available on request.

COBIT (Control Objectives for Information and Related Technology)

COBIT is one of the most widely used frameworks for compliance. It identifies 34 information technology processes and more than 300 control objectives to aid in achieving compliance with the requirements of a broad range of regulations:

  • Control Objective DS 11 states that a proper strategy for backup and restoration should be implemented, including developing and testing of a recovery plan.
  • Control Objective DS 4 stresses the importance of minimizing the impact of any disruption on business operations and provides guidance for activities such as backup recovery.
  • COBIT’s emphasis on recovery points to the need for a backup and recovery solution that is reliable and easy to use, and that enables data to be recovered as quickly as possible to minimize disruption.

NIST (National Institute of Standards and Technology) Recommended Security Controls

NIST’s Recommended Security Controls pertain specifically to federal agencies and organizations that work with them. These security controls for information systems assist organizations in compliance with the Federal Information Security Management Act of 2002 (FISMA):

CP-9 Information System Backup is the NIST security control that deals specifically with backup, requiring “backups of user-level and system-level information (including system state information) contained in the information system.”

This language suggests that organizations should be backing up not only critical data, but also data customizations and metadata. Not all backup solutions are capable of this; if your organization is required to comply with FISMA, you’ll want to look for a backup provider whose solution can accurately achieve this goal.

HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule

HIPAA is the sweeping set of regulatory requirements that covers many aspects of healthcare, from costs of care to access to care. Only the HIPAA Privacy Rule section, CFR 45 Part 164, is relevant to our discussion of backup. (HIPAA is a regulation, rather than a framework. However, the Privacy Rule functions as a framework in that it delineates standards for compliance as well as implementation specifications for the standards.)

CFR 45 Part 164 directs organizations to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information,” as well as to “establish (and implement as needed) procedures to restore any loss of data.”

Healthcare data is among the most sensitive anywhere, dealing with extremely personal and private aspects of individuals’ lives. It’s also data that often must be retrieved quickly to ensure that a patient gets the right care in a timely manner. The ability to protect that data is therefore critical and requires secure, reliable backup and recovery mechanisms.

AICPA (American Institute of CPAs) SOCs (Service Organization Controls)

The auditors who determine whether a business is in compliance often represent accounting firms. The AICPA SOCs constitute a framework of accounting standards and controls that auditors can apply to their work:

SSAE 16 focuses on controls related to an organization’s ability to maintain rigorous operational and security controls of its systems. Among the criteria for compliance are the existence of procedures to provide for data backup, offsite storage, and restoration.

Being compliant with SSAE 16 controls helps ensure that organizations are meeting the requirements that internal and external auditors will evaluate.

What to do next

When there are so many different regulatory requirements in play, just determining what you need to do in a single area such as backup can be challenging and complex. Frameworks provided much-needed guidance both for the organization seeking to comply and for the auditor seeking evidence of compliance. Even with frameworks to help, the process of achieving compliance isn’t easy. On the other hand, the consequences of not achieving it can be even tougher. Next time, we’ll look at the unwelcome results that can come from failing to comply, as well as the welcome benefits that succeeding can bring.

Meanwhile, for a broad overview of the compliance landscape that forms the context for the frameworks that we’ve explored here, check out our previous post “Compliance in the Cloud: Why Backup Is Critical.” And take a look at our webinar “How to Prevent Data Loss and Ensure Compliance for your SaaS Applications.”