10 Security Standards Cloud Providers Should Care About

The Cloud Security Question

Cloud security is still one of the key hindrances in adopting cloud computing services, especially as pertaining to the public cloud. With the public cloud market expected to triple from $12.1 billion last year to $25.6 billion by 2015, security is becoming increasingly important, research firm Analysys Mason said in a new report.

In a recent piece of research, Analysys Mason examined the various security standards to which cloud service providers should adhere and highlighted what percentage actually do. The research looked at several key cloud service providers, including Amazon, Box.net, Citrix Systems, Egnyte, Google, LogMeIn, Microsoft, Salesforce.com, Symantec and more, to determine whether they follow or adhere to certain security standards. Here's a look at some of the findings.

SAS 70

SAS 70 is the most commonly adopted security standard among cloud service providers, Analysys Mason found. According to the firm's research, roughly 67 percent of cloud service providers follow SAS 70 (Statement on Auditing Standards No. 70), which is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization like a hosted data center, insurance claims processor or credit processing company, or a company that provides outsourcing services that can affect the operation of the contracting enterprise.


According to Analysys Mason, about 42 percent of cloud service providers follow the PCI DSS (Payment Card Industry Data Security Standard) standard, a global security standard that applies to all organizations that hold, process or exchange credit card or credit card holder information. The standard was created to give the payment card industry increased controls around data and to ensure it is not exposed. It is also designed to ensure that consumers are not exposed to potential financial or identity fraud and theft when using a credit card.


Sarbanes-Oxley (SOX) is a security standard that defines specific mandates and requirements for financial reporting. SOX spanned from legislation in response to major financial scandals and is designed to protect shareholders and the public from account errors and fraudulent practices. Administered by the SEC, SOX dictates what records are to be stored and for how long. It affects IT departments that store electronic records by stating that all business records, which include e-mails and other electronic records, are to be saved for no less than five years. Failure to comply can result in fines and/or imprisonment.

According to Analysys Mason, only about 33 percent of cloud service providers follow SOX.

ISO 27001

Analysys Mason's research found that about 33 percent of cloud service providers adhere to ISO 27001, a standard published in 2005 that is the specification for an Information Security Management System (ISMS). The objective of ISO 27001 is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving ISMS, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.

Safe Harbor

About one-fourth of cloud service providers adhere to Safe Harbor principles, a process for organizations in the U.S. and European Union that store customer data. Safe Harbor was designed to prevent accidental information disclosure or loss. Companies are certified under Safe Harbor by following seven guidelines: Notice, through which individuals must be informed that their data is being collected and how it will be used; choice, that individuals have the ability to opt out of data collection and transfer data to third parties; onward transfer, or transfer data to third parts that can only occur to organizations that follow adequate data protection principles; security, or reasonable efforts to prevent loss of collected data; data integrity, that relevant data is collected and that the data is reliable for the purpose for which it was collected; access, which gives individuals access to information about themselves and that they can correct and delete it if it is inaccurate; and enforcement, which requires the rules are enforced.


National Institute of Standards and Technology (NIST) standards, originally designed for federal agencies, emphasize the importance of security controls and how to implement them. The NIST standards started out being aimed specifically at the government, but have recently been adopted by the private sector as well. NIST covers what should be included in an IT security policy and what can be done to boost security, how to manage a secure environment, and applying a risk management framework. The goal is to make systems more secure. Analysys Mason's research found that about 25 percent of cloud service providers adhere to NIST standards.


The U.S. Health Insurance Portability and Accountability Act (HIPAA) is followed by roughly 16 percent of cloud service providers, Analysys Mason found. The HIPAA standard seeks to standardize the handling, security and confidentiality of health-care-related data. It mandates standard practices for patient health, administrative and financial data to ensure security, confidentiality and data integrity for patent information.


FISMA, or the Federal Information Security Management Act, was passed in 2002 and created process for federal agencies to certify and accredit the security of information management systems. FISMA certification and accreditation indicate that a federal agency has approved particular solutions for use within its security requirements. In its research, Analysys Mason found that about 16 percent of cloud service providers have obtained FISMA certifications.


COBIT, or Control Objectives for Information Related Technology) is an international standard that defines the requirements for the security and control of sensitive data. It also provides a reference framework. COBIT is a set of best practices for controlling and security sensitive data that measures security program effectiveness and benchmarks for auditing. The open standard comprises an executive summary, management guidelines, a framework, control objectives, an implementation toolset and audit guidelines. According to Analysys Mason, about 8 percent of cloud service providers follow the COBIT security standard.

Data Protection Directive

The Data Protection Directive is a directive adopted by the European Union that was designed to protect the privacy of all personal data collected for or about EU citizens, especially as it relates to processing, using or exchanging that data. Similar to Safe Harbor in the U.S., Data Protection Directive makes recommendations based on seven principles: Notice, purpose, consent, security, disclosure, access and accountability. According to Analysys Mason, about 8 percent of cloud service providers adhere to the Data Protection Directive.