RSS Feed

Related Articles

Related Categories

Are you overlooking critical cloud SaaS regulations?

4th March 2021 Print

Running a SaaS business is hard work. Once you build a strong application, you have to make sure both the application and hosting environment are secure. Then, you need to market your solution and manage bug reports and general feedback.

You’ve probably spent long hours with your IT security team to address security issues, but have you verified that your business meets cloud industry compliance regulations?

You may not realize that cloud service providers are required to meet additional regulations including (but not limited to):

- ISO/IEC 27001:2013, ISO 27017:2015, and ISO 27018:2-19 (International Organization for Standardization. These standards can be accessed in full from the iTeh Standards website).

These three ISO/IEC standards specify requirements for an organization’s information security management system, how to manage security risks, and how to apply information security controls to cloud services.

These regulations also establish control objectives and guidelines for protecting personally identifiable information in a cloud environment that align with the ISO/IEC 29100 privacy requirements.

- The CLOUD Act (Clarifying Lawful Overseas Use of Data). The CLOUD Act requires companies to provide information to law enforcement (when properly requested) “regardless of whether such communication, record, or other information is located within or outside of the United States.”

In other words, when law enforcement performs discovery for a federal case, they have a legal right to obtain data on users even if the servers holding the data are in another country. However, to qualify, the government requesting the data must have a Mutual Legal Assistant Treaty (MLAT) with the United States government.

If you’re presented with a legitimate court order to hand over data on somebody, you must comply. However, you don’t need to comply if the order isn’t valid. This means your SaaS company needs a plan for how you’ll handle this situation if it occurs.

- GDPR (General Data Protection Regulation). Deemed the toughest data privacy law on Earth, GDPR governs the way organizations manage personal data belonging to EU citizens. Hopefully, you’re at least familiar with this regulation and have a system that allows people to easily request erasure of all personal data.

- PCI DSS (Payment Card Industry Data Security Standard). The PCI-DSS security standard has been around for a while, but is still a requirement for all e-commerce businesses. It’s essentially a set of requirements for processing, storing, and transmitting credit card data securely.

Industry-specific regulations that may apply to your SaaS organization

- The GLBA (The Gramm-Leach-Bliley Act). This law applies to financial institutions and requires them to tell customers/clients exactly how they share their private data. The law also requires customers to be informed of their right to opt out of having their data shared, and requires each financial institution to create a strong, written IT security plan.

- FISMA (Federal Information Security Management Act). This particular act was created to protect government information and operations. FISMA applies to any state agency that administers a federal program along with businesses and service providers in contract with the United States government.

- FedRAMP (Federal Risk and Authorization Management Program). The FedRAMP program standardizes the way cloud service providers approach cybersecurity when protecting federal data, including continuous monitoring. The organization has pre-determined authorized cloud service providers to help organizations stay compliant.

- HIPAA (Health Insurance Portability and Accountability Act). Applicable to anyone who stores, transmits, or works with patient data, HIPAA requires a high level of data security for all cloud environments. You’re probably aware of this act, but you may not realize responsibility for data breaches falls equally on the cloud service provider along with the organization. In other words, you can’t just leave it up to your client to protect their data. You either need to be HIPAA-compliant, or refuse to store health data.

There are mountains of security regulations for SaaS companies

As you can see, the SaaS and cloud industries are heavily regulated by multiple laws, acts, and programs with many overlaps. It can be confusing to sift through all of these regulations yourself, although it’s wise to gain a basic understanding of each law.

If your organization falls victim to a data breach, any small violation of these laws will be highlighted and it could cost you tens of thousands of dollars. It doesn’t take much. For example, on May 20, 2019, private information belonging to 49 million Instagram users, including celebrities, was exposed when a social media company failed to protect the data stored in an AWS database.

The best thing to do is consult with a regulations expert in your industry to find out what you can do to ensure you don’t violate any of these laws. When it comes to cybersecurity, you can never be too careful.