The advantages that cloud computing brings are undeniable—increased agility, reduced costs, operational flexibility, and more. However, organizations sometimes hesitate to adopt the cloud because of perceived compliance issues. After all, the control that one has over on-premise data is lost when moved to the cloud, increasing dependency on a third party.
So how does one ensure that the cloud service provider ensures compliance to regulatory requirements? Simply put, it cannot be done. The onus of compliance is always on the data owner!
Regulatory compliance has become increasingly complicated, with a complex mix of regulations to adhere to, ranging from the Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act, to Payment Card Industry Data Security Standard (PCI- DSS) and the European Union Data Protection Directive, to name a few.
Some key elements to consider when moving data to the cloud:
- What kind of data is going to be migrated to the cloud? Often, business contracts restrict the moving of certain data, especially business-critical or confidential data, to the cloud. Be clear on security and privacy policies around the same.
- What kind of cloud service is going to be used—private, public or a hybrid model? This will affect the kind of data that is hosted as well. For instance, you may decide that all your sensitive data will remain on a private cloud, hosted on-premise.
- Identify the geographical location of the data storage. Most providers have cloud storage/data centers that are geographically dispersed across multiple countries; yet certain regulations specify geographical boundaries of data storage to ensure that regulatory purviews and responsibilities are accurately defined. Depending on where the data is stored, it will fall under the jurisdiction of different regulations.
- The European Union Data Protection Directive, for instance, rules that data can only be stored within the EU. The best service providers now offer different geographical nodes that can selected to specifically store data in. Continue to periodically check that your data stays within those nodes. This will help comply with local regulations in a straightforward manner.
- Keep in mind that cloud providers often outsource some of the processing work in a public cloud to a third party. As a customer, you can and must contractually insist on complete transparency regarding who the subcontractors are, who has access to your data and what security measures are taken to protect your data. Assess not just the provider’ security and compliance policies, but also at how stringently they apply their policies to their sub-contractors.
- Public cloud providers often use the multi-tenancy model—where you share space on the public cloud with other organizations—to optimize server workloads and keep operational costs down. Insist on and assess security controls to prevent your data from being compromised, when sharing space with others.
- Be responsible for your own compliance. While your cloud service provider may claim to be compliant, ultimately, the responsibility for regulatory compliance rests with the data owner. Even as you ensure that the service provider maintains regulatory controls on an ongoing basis, do not overlook compliance aspects surrounding your own IT operations and processes. Implement a robust and ongoing governance framework that gathers relevant information from providers and your own systems, and monitors compliance in line with international best practices.
- Besides protecting the integrity of stored data, regulations also demand that you protect data that moves around—from user end points to the cloud, and back again. Use encryption to render the data unreadable and unusable to hackers, with the encryption methodology / decryption keys being kept in-house and controlled by the organization.
- Focus on SLAS. Jettison standard terms and conditions in favor of a contract and provisions that fit your requirements and demands. Compliance is a vital issue, and non-adherence results in severe penalties. Enforce vendor compliance by setting down your requirements in an SLA.
- Finally, check out what the vendor’s incident response plan is so you can be aware of and proactively plan for data breach contingencies.
Adherence to these key elements provides you with the necessary tools to ensure regulatory compliance. However, remember that this needs to be frequently verified and updated, especially given the disruptive nature of cloud technologies that leads to constantly evolving regulations.
is the Senior Vice President & CTO, IMSS, at Happiest Minds Technologies. With over 20 years of experience in the IT Security domain, Priya’s expertise spreads across Cyber Risk, Cloud Security, Data Privacy and Protection, Access Governance, Risk, and Compliance. She has carved her way up to become one of the women leaders representing the management council of the organization. Priya was also recognized as the “Visionary Women Leaders 2019” by the Business APAC magazine and received the “Women in Tech” award at the 19th Edition of the Asia Pacific HRM Congress for 2021.
Priya’s current work involves planning and developing Next-Gen Managed Security Platforms offering Proactive Threat Detection, Security Automation, Data-Centric Security, and Governance for the new age of digital customers. Her sensibility and compassionate nature have made her one of the organization’s most respected and followed leaders.
