Chairman of the Board of Directors

7 of the Most Significant Cloud Compliance Regulations

Cloud compliance refers to the vast set of regulations and principles that organizations must follow when using systems delivered through the cloud. As cloud computing continues to grow in popularity, cloud customers must begin to look at their own compliance efforts and take steps to meet the required guidelines.

Both within the United States and across the globe, there are a number of standards that individual users, federal entities, and other organizations must follow throughout their employment of cloud-based services. Read on to take a look at a few of the most important regulations that are governing cloud compliance today:


  1. International Organization for Standardization (ISO)

ISO is one of the most prominent regulatory bodies in charge of cloud guidelines. Based on the recommendations and votes of an expert committee, this organization has developed countless regulations that govern the applications of cloud computing.

ISO/IEC 27001:2013 is one of the most widely used of all ISO cloud requirements. Designed for application within organizations of any size, this standard lists the requirements for handling all phases (from creation to maintenance) of information security management systems. This regulation also specifies how organizations must address the security risks that they come across. ISO/IEC 27017 and ISO/IEC 27018 are two other ISO regulations that establish reliable security standards for both cloud vendors and cloud users alike.

For those organizations that are looking to enhance their general IT governance, ISO/IEC 38500 sets a firm standard for these practices. More specifically, these guidelines help guide organizations’ senior management teams through the steps they must take to improve the way they use IT. Though the ISO/IEC 38500 standard does not specifically apply to cloud usage, both providers and clients alike can use it in their cloud governance practices.

business management


  1. Health Insurance Portability and Accountability Act (HIPAA)

Enacted in 1996, HIPAA establishes standards for the management and security of protected health information (PHI). Applicable only within the United States, this regulation delivers provisions that help healthcare entities enhance the security of the medical data that they use on a regular basis. Hospitals, doctors’ clinics, and health insurance organizations are some of the entities that use HIPAA to this end.

Not only does this legislation create provisions for PHI management, but it also requires healthcare organizations to report security breaches. The most significant aspect of HIPAA is its Title II section, which ensures that those in the healthcare industry employ secure access measures for their data and follow other guidelines for handling electronic healthcare transactions.


  1. General Data Protection Regulation (GDPR)

In order to tackle security compliance challenges within the cloud environment, the European Union has taken drastic steps to overhaul its privacy regulations. Looking to supplant the EU Data Protection Directive of 1995, the EU has agreed to implement its new GDPR rules.

GDPR is designed to govern the work of any organization that works with the information of EU residents. After going into effect in May 2018, these regulations will give EU residents greater control over their data and create a better international standard for business.


  1. Federal Risk and Authorization Management Program (FedRAMP)

Based on a number of security controls established through the National Institute of Standards and Technology (NIST) Special Publication 800-53, FedRAMP provides enhanced security to those working within the cloud. More specifically, these regulations establish a process of evaluation for the management and analysis of different cloud solutions and products.

FedRAMP ensures that cloud service vendors remain in compliance with the security controls established through Special Publication 800-53. Any federal agency that decides to employ cloud services throughout its organization must employ FedRAMP programming.


  1. Sarbanes-Oxley Act of 2002 (SOX)

SOX went into effect following a number of prominent financial scandals in the early 2000s. As per this regulation, all public companies in the US must take steps to mitigate fraudulent accounting and financial activities. By ensuring that companies comply with these rules, SOX safeguards the American public from corporate wrongdoing. Any company that falls under the jurisdiction of SOX must only work with cloud providers that employ SSAE 16 or SAS 70 auditing guidelines.


  1. Payment Card Industry Data Security Standard (PCI DSS)

In 2004, major US credit card firms American Express, MasterCard, Discover, and Visa came together to establish PCI DSS. This compliance standard has since helped provide better security for card payment transactions. To this end, PCI DSS has established security measures that safeguard the data of cardholders and prevent any outside parties from exploiting their information.

PCI DSS underwent an overhaul in 2016 that implemented new controls for multifactor user authentication and data encryption requirements. This update also requires service providers to conduct penetration testing to further enhance data security.



  1. Federal Information Security Management Act (FISMA)

Since going into effect in 2002, FISMA has governed the security practices of entities in the US Federal Government. In essence, this regulation ensures that federal agencies safeguard their assets and information by creating, implementing, and following an internal security plan. FISMA also dictates that these entities must complete a review of this plan on a yearly basis. This guarantees the efficacy of the program and the ongoing mitigation of security risks.

FISMA not only covers information handled at federal agencies, but it also focuses on the technology security of third-party organizations such as cloud vendors. These entities will only meet FISMA compliance rules if they host their services within a data center that fulfills the requirements of this act.