Cloud compliance issues arise as soon as you make use of cloud storage or backup services. By moving data from your internal storage to someone else’s you are forced to examine closely how the data will be kept so that you remain compliant with laws and industry regulations.
It’s a common misunderstanding that regulatory compliance requirements preclude many organizations being able to leverage outsourced, managed cloud services. Depending on the cloud services provider you choose, you may not only be able to meet your existing compliance concerns, but the cloud provider is likely to have controls and processes that improve your compliance program.
The main questions in regard to compliance:
Virtually every regulation requires organizations to adequately protect their physical and informational assets. To do this, there is an implied and assumed ability to control and prove:
- What information is store on the system?
- Where is the information stored?
- Who can access the system?
- Is the access appropriate?
All of these questions imply some level of ownership of the assets in question, and that is where cloud compliance issues become apparent. In the public cloud environment, you are able to answer the first of those questions with certainty; the other four however, end up posing a compliance problem.
In a typical corporate data center or a co-location center, everyone knows where the disk and physical server reside, and that fact can be proven during an audit. Even a shared service provider can typically tell you which physical systems you are utilizing and identify the data location for audit purposes.
As far as the “who” is accessing your data, you can control that inside your organization, but you also have to take into account that your provider’s staff can access your systems as well. The main people you need to be concerned about in this regard are the administrators, both systems and application. With that being said, regardless of who will have access to your application and storage data offsite, it should be encrypted before it leaves the boundaries of your organization
Finally, the question of “why” they need that access. This is basic as it relates to security – access should be based on job role and a clear description of the level of access needed should be provided.Working with a reputable managed service provider may be an excellent way to leverage expertise and processes you may not otherwise have in-house, and mitigate some risk by assigning responsibility to a 3rd party you can hold accountable to protect your data. The cloud is rapidly becoming the data protection platform of choice for highly regulated industries because more organizations are leveraging the expertise of these pure information-centric service providers.