Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Certifications for Cloud Providers


This is the eighth blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will offer greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed "Key Compliance Considerations”. In this installment, we will be discussing the topic: "Certifications for Cloud Providers”.

There are many different considerations that a company should evaluate when choosing a cloud provider, and through the course of the various blogs and podcasts, we have identified most of them. ComplianceInTheCloudSeries.jpgOne of the questions that we are constantly asked is around cloud compliance certifications and standards, specifically:

What compliance standards and certifications should a cloud provider have as part of their overall offerings and security program?

The answer obviously differs by company depending on the specific regulatory concerns that the company is subject to. But here are some basic certifications / standards that nearly all cloud providers should be able to obtain:

SOC 1 / SOC 2 / SOC 3

According to the AICPA, a SOC 1 is a report on the controls at a service organization relevant to the user’s internal controls for financial reporting. A SOC 2 is the same kind of report, but focusing on security and privacy controls. A SOC 3 is much the same as a SOC 2, but intended for a different audience. Pretty much any cloud provider will have one, two or all of these reports on their cloud infrastructure, and will make them available to their customers or prospective clients for the asking.

ISO 27001

ISO 27001 is a set of internationally recognized security model designed to secure information assets. It is generally used as a framework for creating an information security management system (ISMS). The ISO 27001 standard is difficult to achieve for a small to medium size business, mainly due to the complexity and strength of the various security controls necessary to comply with the model. But seeing this certification with a cloud provider generally means that their environment has achieved a level of security maturity within their organization.

CSA Security, Trust & Assurance Registry (STAR)

The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) is a program developed by the CSA for security assurance in a cloud environment. It consists of a cloud controls matrix and a Consensus Assessments Initiative Questionnaire (CAIQ) that companies can use to evaluate a cloud provider’s overall security practices.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created by the major credit card companies and financial entities to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. Most companies are familiar with the PCI in one form or another, as it is the standards that must be adhered to in order to process credit card transactions. Most cloud providers have achieved or can help their customers achieve PCI certification.

This is just a few of the many certifications that are available, and that companies can use to determine the maturity of the security programs of a cloud provider. HITRUST is used by the healthcare industry, ITAR certifications in the manufacturing industry and FCRA / CFPB in the financial services vertical are all important to consider as well. A company should ask to see the cloud provider’s certification and security program, as well as any controls that they can share to help the company with their own compliance concerns, before making a decision on a cloud provider.

For the next blog in this series, we will discuss the compliance topic: "Hybrid Cloud Compliance". To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all