This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cloud-10 Regulatory Compliance

Jump to: navigation, search

R3: Regulatory Compliance

Customers are ultimately responsible for the security and compliance with regulatory laws (e.g., SOX, HIPAA etc) of their own applications that are hosted in cloud. Data stewards and application owners must plan to put timely audits in place to ensure proper controls in the applications and infrastructure that is hosted at a cloud provider. Companies that are planning to adopt cloud (SaaS, Iaas, Paas etc) must ensure that their cloud provider understand the respective roles and responsbilities (RACI etc) in helping out customers in maintaining required compliance with the appropriate regulatory laws and standards (government and commercial). IT managers are likely to push back on cloud adoption due to the fear of losing control of their resources to outside cloud providers who can change the underlying technology or implementation or both without customer’s consent which may have implications on regulatory compliance due to lack of transparency (Sullivan, 2009; Chow et al., 2009). IT organizations should analyze whether or not a move to the cloud makes sense with a risk management framework that incorporates data protection and compliance requirements and by making sure that the data protection, availability and key management expectations are well defined into the service level agreements (Getgen, 2009).


Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).

Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).

Gartner: Seven Cloud-Computing Security Risks.

Google: Cloud computing more secure than traditional IT.

Top five cloud computing security issues.

Cloud Security Alliance.

O'Sullivan, D. (2009). The internet cloud with a silver lining. The British Journal of Administrative Management.

Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., & Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA

Getgen, K. (2009, October). 2009 Encryption and key management industry benchmark report. Trust Catalyst white paper on Risk Management for data protection.