Vertical certifications that cloud providers must know about!
One of the key areas of potential growth for Cloud Providers is to offer ever-more tailored solutions to customers as a new “as a service” type offering. Cloud is evolving with light speed, and the existing IaaS, PaaS and SaaS models are swiftly morphing into an array of new capabilities. The next wave of industry growth must address more detailed industry verticals-such as healthcare, law enforcement, credit card management and the like- that extend beyond the basics of PaaS; IaaS and SaaS.
But entering into targeted vertical markets brings compliance and certification problems of a new sort. Capabilities that network compute or utilize sensitive discrete data sets such as Personally Identifiable Information (PII) or Criminal Justice Information (CJI) come with unique security controls and accreditation mandates that can go well beyond FedRAMP.
There is no question that these additional qualifications can be time consuming and costly to obtain, not to mention bringing on potentially significant legal liabilities if breached. Sensitive data sets often go well beyond the basic operational requirements- such as FedRAMP certification or meeting DOD Security Requirements Guide (SRG) security controls.
The cloud ecosystem is also plagued by many fundamental misunderstandings about what the applicability of many certifications. One of the largest misunderstandings by SaaS offerings is that a hosted software application simply has to reside on a FedRAMP compliant platform without needing to address any product or application-specific controls.
Not true! There is no such thing as “inheritance.” Just because a specific platform is FedRAMP certified, or has an ancillary certification, software or applications that reside on that platform do not simply “inherit” the security credential. The FedRAMP program office has made very clear that this is not the case. Software and applications vendors must obtain independent validation and certifications for their portion of the cloud stack. For example, such regulations as HIPAA which governs patient private data, mandates that CSPs, as “business associates,” must comply with HIPPA certifications as well. Same goes for Criminal Justice Information (CJI).
This means that CSPs must offer and manage cloud solutions that have compliance certifications across sensitive data sets in order to continue their growth into underserved industry vertical markets. As such, CSP’s and their partners must scrutinize and obtain as many relevant compliance certs as possible.
The landscape is made even more complex by the fact that some compliance certs are well-understood; others are emerging and developing.
Some of the most basic ancillary certifications to be aware of include the following:
FERPA certification: essential if a cloud provider wants to sell cloud into the education space. The Family Education Rights and Privacy Act is a detailed statute that contains multiple privacy protections for student information, including information in the cloud. Educational customers must abide by FERPA to maintain their eligibility for government funding, such as grants.
HIPPA certification for healthcare customer and patient data: Cloud opportunities in the healthcare space is a dynamic and growing market. But the Health Insurance and Portability Act (HIPAA) governs any medical institution that has access to patient records and cloud providers must bake these certifications into any medical products sold into the healthcare market.
HITECH Certification for cloud providers who transmit health information. HITECH (The Health Information Technology for Economic and Clinical Health) is compliance certification required for the transmission of health records and health information. This applies to any cloud offerings that transmit health information.
Payment Card Industry certification: Cloud offerings that delve into money processing face a tough level of additional certifications and security controls. One such certification is PCI-DSS, or Payment Card Industry–Data Security Standards, which has detailed compliance requirements. PCI-DSS addressed such issues as network security, protection of cardholder data, and cybersecurity measures including incident reporting. implement vulnerability management and access control programs.
Criminal Justice Information (CJIS)- if a cloud provider wishes to sell into the law enforcement market, it will likely need to access and utilize so-called Criminal Justice Information. To access CJI, cloud providers and their hosted applications must first qualify as an authorized recipient of CJI by meeting a specific set of security and qualification criteria established by a specific group within the FBI.
There are also numerous industry standards groups- like ANSI and ISO, that provide operational and technical standards and certifications that cloud providers should be aware of.
Industry experts can assist in navigating the compliance obstacle course. Cloud providers need to know about these requirements- and the costs associated with getting them- before they seek specific market entry or bid on a government opportunity. Not complying can lead to significant damages- and in certain instances even criminal, liability.