Cloud Computing Laws Explained

Cloud Security and Privacy

Cloud computing's exponential growth is fueling a corresponding need for greater compliance, governance and regulations to ensure data and knowledge are secured and accessed for intended use. A regulation by definition is a rule or law, and has inherent within its definition support for compliance and enforcement (Halpert, 2011). Regulations differ from legal frameworks or standards in that the former is broadly protective and more focused on protecting shareholder value, ensuring corporate responsibility and also defining disincentives for recklessness or wrongdoing (Halpert, 2011). The purpose of this analysis is to analyze the top five security regulations for business and government.

Analysis of the Top Five Security Regulations for Businesses and Government

The top five security regulations provide laws governing the use of digital assets including cloud computing platforms and applications, with the specific purpose of ensuring personal and corporate data, information and knowledge are protected.

The first of the five regulations is the Federal Information Security Management Act. This Act was passed in 2002 and includes specific laws governing the access and use of U.S. government data at federal agencies (Halpert, 2011). The Act concentrates on how to define, implement and optimize every aspect of system security for U.S. federal agencies. What is unique about this Act is that it has a clause that provides for greater funding if the overall readiness of IT systems falls below a specific threshold level. This act predates cloud computing's adoption, however it includes 17 specific families of controls that encompass Access Control to Disaster Recovery, which while they are not directly applicable to cloud computing, they address infrastructure clouds rely in on integrated platforms.

The second most significant security regulation is the Sarbanes-Oxley Act of 2002, often called SOX. This set of regulations define in detail how all American publically-traded companies report their financial results, define their ownership and stakeholders, and report exceptional events that could have a material effect on their financial performance. Companies who are in compliance with these are also by definition of this regulation also in compliance with COSO and COBIT (Halpert, 2011). Cloud-based platforms being used in financial services by firms that are publically traded on American stock exchanges must abide by these laws or face heavy fines from the U.S. Securities Exchange Commission. This is so foundational to building cloud platforms that is an essential element of any design of applications or systems in publically-traded American companies today.

The third most important security regulation is the Health Information Privacy Accountability Act (HIPAA) Act of 1996. This Act has definite implications for cloud computing applications and platforms used throughout the healthcare industry as this regulation protects the confidentiality of patents and ensures the privacy of healthcare transactions and records (Halpert, 2011). This Act was updated in 2009 with the American Recovery and Reinvestment Act (ARRA/HITECH) to encompass the entire value chain of businesses that the healthcare industry relies on (Halpert, 2011). Like SOX, this act does not specifically cover cloud computing, yet it has been interpreted and often used in the design and development of cloud applications and platforms.

The fourth most important security regulation is the Graham/Leach/Bliley Act, passed in 1999. This Act also predicated cloud computing's widespread adoption, however it is foundational to the protection of customer information in banking and financial institutions (Halpert, 2011). There was widespread consolidation of the banking community during the time period this Act was passed, hence the focus on protecting consumers' data and information. Like HIPAA, this act concentrates on maintaining control and privacy of personal data, looking to alleviate inherent risks is having that data comprised (Halpert, 2011). HIPAA also predates cloud computing, yet is a core design element of healthcare cloud applications and systems.