5 Cloud Compliance Standards You Must Know as a Mid- to Large-Sized Business

1 comment

Business-owners likely already know about the benefits of the cloud: it’s more affordable than legacy services, it makes it possible for your employees to easily share files and be more productive when they’re away from the office, it allows you to cut IT support costs by having a managed service provider monitor your infrastructure, and solve problems remotely rather than hire in-house IT workers.

But business-owners have concerns with the cloud as well, and these concerns mainly have to do with security. In particular, most companies have regulations that they must abide by, and they’re worried about the regulatory fines and other penalties they might face if there’s ever a security breach involving their cloud solution.

“The first reason for the implementation of additional security measures is regulatory,” Duane Tharp, vice president of technical sales and services at Cloud Elements said. “Businesses have to be compliant to a regulatory regime, whether state, federal, or internal.”

Read more: Compliance and the Cloud: What Small Businesses Need to Know

Indeed – according to a recent cloud survey conducted by Clutch, 88 percent of enterprises (defined in the survey as companies with over 100 employees) have to comply with some set of regulatory standards when using the cloud.

Which specific regulatory organizations do enterprises have to deal with? The Cloud Security Alliance (CSA) is the most common answer, with over a third (38 percent) of enterprises reporting that CSA standards are necessary for cloud storage. After that, 22 percent of enterprises meet ISO standards, 17 percent have to deal with the FDA, 15 percent with the CDSA, and 12 percent with HIPAA.

“Companies often use compliance concerns as an excuse for not using the cloud,” Dave Linthicum, a senior vice president at Cloud Technology Partners said. “But these comments arise from ignorance… It’s all about understanding the features and functions that facilitate being compliant in the cloud. A lot of education needs to occur.”

Here’s what you need to know:


The Cloud Security Alliance (CSA) is a non-profit organization with over 40,000 members, dedicated to promoting the use of best practices for secure cloud computing, as well as educating people and businesses as to what those best practices actually are.

In 2011, the CSA received a huge boost in national (as well as international) recognition when the Obama administration chose the CSA Summit as the venue for announcing the government’s official cloud computing strategy.

What You Need to Know

The Clutch study mentioned earlier also revealed that enterprises spend a lot of money on protecting their sensitive information, with 59 percent of enterprises having spent between $10,000 and $500,000 on cloud security.

Much of that money goes to waste if an enterprise hires a cybersecurity “expert” that doesn’t really know what they’re doing.

The CSA’s Certificate of Cloud Security Knowledge ensures employers that the certificate-holder knows how to properly design, build, and maintain a cloud environment in the business world. This helps truly skilled IT workers get hired, and it helps enterprises get the most out of their payroll dollars by only dedicating them toward top talent.

Also, the CSA’s Security, Trust & Assurance Registry program is perhaps the toughest set of cloud security regulations in the industry. Any organization that has managed to make it into the STAR program is worthy of an enterprise’s consideration.


The International Organization for Standardization, founded in 1947 and headquartered in Geneva, Switzerland, is a worldwide authority that establishes industrial and commercial standards recognized in over 160 countries.

What You Need to Know

The specific standard to look at here is ISO/IEC 27018:2014, which deals with the handling of personally identifiable information (PII).

When you work with any cloud service provider that complies with ISO/IEC 27018:2014, you have the peace of mind of knowing that your data is being stored in a data center that follows strict rules on how PII is transferred and stored, and you’ll always know when third parties have access to your information.

Note that there is no specific ISO/IEC 27018:2014 certification, but any provider that has earned a certification for all of ISO 27001 by default complies with ISO/IEC 27018:2014.


Formed in 1904, the FDA protects public health in the United States by regulating the production and sale of food, tobacco products, and pharmaceuticals.

What You Need to Know

For the most comprehensive look at what needs to be done for your cloud solution to be FDA compliant, review Chapter 11: Electronic Records; Electronic Signatures in the annually-updated Code of Federal Regulations.


The Content Delivery & Security Association, formerly the International Recording Media Association, has been promoting responsible delivery and storage of entertainment, software, and information content for over 40 years.

What You Need to Know

To achieve CDSA accreditation, organizations must complete 3 steps:

  • Step 1: the applying organization receives CDSA materials, carries out internal risk assessments, implements security processes and systems, and prepares required documentation
  • Step 2: a CDSA auditor reviews the applying organization to ensure compliance
  • Step 3: the applying organization will receive an audit report detailing where they did and did not pass, a surveillance audit will take place in 6 months, and annual audits are required every year to maintain certification


In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. It includes provisions that establish the security standards for electronic healthcare transactions.

What You Need to Know

HIPAA violations can really hurt, as the maximum fine possible for breaking one provision of HIPAA is $1.5 million – and it’s possible to break multiple provisions in the same incident and rack up even more of a fine (in 2014, New York-Presbyterian Hospital and Columbia University were hit with $4.8 million in HIPAA fines after a breach exposed the records of thousands of patients).

Some providers claim to be HIPAA-complaint, but The Department of Health and Human Services (HHS), which oversees HIPAA, does not certify providers. Nothing is really HIPAA-compliant out of the box. You need to make your cloud solution HIPAA-complaint.

Thankfully, HHS publishes the audit protocols that will allow you to do just that.

“It is your responsibility as a customer on the Cloud to secure your perimeter and make sure your data is protected because the cloud vendor will not do that for you,” Jose Alvarez, the Director of IT Infrastructure at Auxis said.

Indeed – at the end of the day, the security measures provided by your cloud service just aren’t enough (although some services, such as SpiderOak and Tresorit, are more secure than others). If your data is compromised, you’re the one that’s going to have to deal with the highly expensive and reputation-damaging fallout. So it’s up to you, and only you, to make sure a breach doesn’t happen.

Take the initiative to use client-side encryption, regular auditing, improved identity access policies, and any other method that helps you stay up to code and prevent a cyberattack.

About the Author

Alex_Headshot2 (2)Alex Miller is an Analyst at Clutch, a Washington, DC based B2B ratings and reviews website that highlights leading software and professional services firms. Clutch’s research helps start-ups, mid-market and large enterprises find partners that meet their needs, whether for a one-off project or a long term relationship. Alex heads the cloud research segment at Clutch.

Add Your Comments

  • (will not be published)

One Comment

  1. Informative read on cloud compliance standards..