Cloud Service Providers and understanding Cloud Certifications: for Data Controllers

In a clinical trial, it is the data controller’s obligation to ensure the security of all trial records. These include the study record, the case report forms (CRFs), the electronic database captures (EDCs), the safety databases, the electronic trial master file (eTMF), the data at the end of the study for publication, the analysable dataset for sharing with other parties, and the clinical study reports (CSRs) for regulatory authorities. The multiple and inherently complex steps in the data processing operations have led to an increased usage of cloud-based services and solution provided by Cloud Solution Providers (CSP).

The advantage for controllers is that these services provide large expandable data storage, secure backups, the anytime, multilocation, multi-user real-time access and update. It is the controller’s obligation to ensure that appropriate technical and security measures are in place for the processors it contracts, including (CSPs). However, as the Article 29 Working Party (subsequently the European Data Protection Board, EDPB) recognised in its opinion on Privacy and the Cloud, there are significant issues due to the contractual asymmetry between the CSPs, their clients, and the lack of transparency on the security measures implemented by the CSPs. Therefore, the EDPB recommends that controllers should not entrust data processing to CSPs that do not provide sufficient information and transparency on their security measures.

“The cloud” is the infrastructure and services that users can access over the Internet. In addition to storage, the Cloud, provides various levels software or applications. By using cloud computing, companies do not have to manage the physical servers themselves nor run software applications.

Cloud computing is a method of optimizing the computing resources with different models from ‘pay as you go’ to private cloud implementations dedicated to the client

The most common types of cloud services are:

• Software as a Service (SaaS): the application-level services, involving web or mobile access, tailored to various business needs.
• Platform as a Service (PaaS): provides infrastructure plus software framework which is applicable for advanced developers. New web applications can be created on PaaS.
• Infrastructure as Service (IaaS): a way of providing user access to raw computing resources such as processing power, data storage capacity and networking in a secure data centre.

The factor in common between the certification schemes is that they assess CSPs against numerous controls that are derived from various national and international standards. These standards are not necessarily dedicated to cloud computing but very useful in developing confidence regarding the certification. The most common of these standards are:

• ISO 27000-series on Information Security at the company level
• The US National Institute of Science and Technology (NIST) 800-53: Security and Privacy Controls for Information Systems and Organisations
• American Institute of Certified Public Accountant’s (AICPA) System and Organization Control (SOC) provides Reporting on Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)

Increasingly, we have seen CSPs referencing SOC 2, which we have included in this analysis as it is also a type of certification/label scheme.

The Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct was the first sector-specific code for cloud infrastructure service providers under Article 40 of GDPR approved by the EDPB. It helps organizations across Europe accelerate the development of GDPR compliant cloud-based services for consumers, businesses, and institutions. Some of the key facts about the CISPE CoC are:

• It applies to only IaaS services
• The controls are partially based upon ISO 27000-series controls, but ISO certification is not mandatory
• There are two levels of Trust Mark available for adherents to the code:
  o Declared, which is based on self-assessment by the CSP; and,
  o Certified where third part audit evidence is needed.

Note that even though this is a GDPR Code of Conduct, a CSP having a Trust Mark does not remove the obligation from the controller to have an Article 28 compliant Data Processing Agreement with the CSP and to implement Standard Contractual Clauses where needed for transfers outside of the EEA.

The EU Cloud CoC is the latest Code of Conduct related to cloud computing approved by the EDPB under Article 40 of GDPR, which aims to help CSPs on their path to GDPR compliance using controls based on ISO 27000-series documentation. It also enforces the need for transparency in the security controls and mandates that customers must be allowed to specific in which region their data is stored. The EU Cloud CoC cover IaaS, PaaS and SaaS providers. There are three levels of certification (called Compliance Marks):

• Level 1 is based upon self-assessment by the CSP and review of documentation by the assessment body.
• Level 2 is when the assessment is partially covered by external audit; and,
• Level 3 is where the assessment is fully covered by external audit.

As with the CISPE Code of Conduct the controller still needs to have proper data processing agreements and transfers mechanisms in place even if the CSP has a Compliance Mark.

The Cloud Security Alliance (CSA) provides a Security, Trust, Assurance and Risk (STAR) registry, a level-based assessment, where the CSA Cloud Controls Matrix (CCM) is used as a cybersecurity control framework for cloud computing.

STAR controls are based on a wide range of standards including ISO-27000-series, SOC, GDPR requirements. There are two levels of compliance:

• Level 1 is based on self-assessment with review by the assessment body.
• Level 2 is based on third party audit.
  There are specific Level-2 variations for SOC 2, ISO 27001 as well as C-STAR for the Greater China market. CSA Corporate Members who achieve level 2 are certified as CSA Trusted Cloud Providers.

You can find a list of corporations certified by CSA STAR at its publicly accessible registry at this link.

The Federal Office for Information Security in Germany (BSI Germany) introduced C5 in 2016. C5 stands for ‘cloud computing compliance criteria catalogue’. Its controls are based on ISO-27000-series, CSA STAR, AICPA SOC and PC-DSS. CSPs can attest to C5 compliance via a compliance audit that is repeated regularly. BSI C5 is a continuous improvement process.

Whilst not specifically a cloud certification scheme, a SOC 2 engagement can cover the CSPs internal controls related to the Health Insurance Portability and Accountability Act (HIPAA) as well as the CSA’s Cloud Controls Matrix. You may see reference to SOC 1 and SOC 3, but these are not relevant to controllers looking to understand the security of CSPs.

Health Data Host (“Hébergeur de Données de Santé”, HDS) certification is issued by ASIP SANTÉ on behalf of the French Ministry of Health. ASIP Santé is responsible for promoting electronically based healthcare solutions in France. The HDS certification controls are based on ISO 27001. Of note is that the HDS certification is required for all CSPs that host personal health data governed by French laws.

The scheme most relevant to you will depend on several factors like the specificities of your data processing operation, how you intend to use of the cloud, your location, and whether you need to cover HIPAA. For each scheme that may fit your needs, there are a range of cloud-relevant certification schemes based on well-known and understood security standards. When considering contracting a CSP, the compliance certifications can increase the confidence of the controller in the adequacy of the security measures. However, this does not remove the obligation of the controller to:

• Execute article 28 data processing agreements with CSPs
• Execute SCCs where relevant for transfers
• Monitor the performance of the CSPs in respect of security and raise issues where needed.

In terms of assessment processor security, a processor with a compliance mark will likely require less due diligence than for one that does not. That said, this does not mean due diligence is not needed. We would also state that compliance marks requiring external audit evidence provide greater confidence to controllers than those where self-assessment was used.

Always check the validity of the compliance mark in terms of the services covered as well as the expiry date of the certification. All of these steps will help you maintain your compliance.