ABSTRACT
CONTENTS 28.1 Introduction 367 28.2 General Cloud Certi cations and Compliance 368 28.3 Data Protection and Privacy across the World 369 28.4 Government Certi cations in the Cloud Business 370
28.4.1 Overview of U.S. Federal Compliance Requirements 370 28.4.1.1 ITAR and EAR 371 28.4.1.2 Federal Risk and Authorization Management Program (FedRAMP) 371 28.4.1.3 Defense Information Systems Agency 372
28.4.2 Canadian IT Security Guidance 373 28.4.3 Australian Signals Directorate and IRAP Compliance 373 28.4.4 Russian Crypto License and FSTEC Certi cation 374 28.4.5 Chinese Internet and Cloud Providers 374 28.4.6 e German BSI and IT-Grundschutz Certi cation 375
28.5 Risks and Challenges for Cloud Service Provider 375 28.5.1 Potential Redesign of Cloud Service Architecture 376 28.5.2 Lack of Standardization 376 28.5.3 Limited Re-Use of Government Cloud Concepts Possible 377 28.5.4 Loss of Control Due to Government Intervention 377 28.5.5 Risk of Failing Future Certi cations or Compliance Audits 377 28.5.6 Politics and Sanctions Impacting Cloud Business 378 28.5.7 Signi cant Increase in Cost and E ort 378
28.6 Summary 378 References 378
between countries. Basically, every country de nes its own rules. Of course, there are some similarities with regard to encryption usage, but this helps only a little because the encryption soware or hardware must be certi ed by each individual government. Also, they, of course, demand that their data are stored locally and administrated only by local citizens. is is a challenge for the cloud service provider if the service operates with a global shi based on the follow-the-sun support model and has no local country-speci c resources for aroundthe-clock (24/7) cloud operation. Additional to these technical cloud infrastructure and cloud operational aspects, the solution and services must be certi ed by local standards. So in the end, the cloud service provider may have dozens of isolated and country-speci c cloud implementations and certi cations to maintain. is chapter will describe some of these government and country-speci c requirements in the context of cloud computing. It will explain existing international standards and attestations that can be used as a baseline for the cloud service, and it will outline some of the risks in this area.
