Moving to the cloud is easy, but remaining compliant in the cloud is
another matter. When you move to the cloud you're handing over control
of your data to a third party. When data is not under your direct
control, it can be tough to ensure that the way it is handled meets
regulatory requirements.
Which regulatory requirements do you have to worry about in the cloud? The simple answer is the same ones that apply to you already. That's most likely to be one or more of:
That can obviously be a big problem if a cloud provider operates data centers around the world and stores your data in multiple locations. The good news is that all reputable cloud service providers are aware of the problem and offer geographical nodes that customers can select for their data to reside in.
The key thing, then, is to read the fine print to ensure that all your data stays in those geographical areas. Secondary copies, archive copies or other copies made by the service provider for redundancy, speed or other purposes, or to be stored with subcontractors, should never leave those areas.
Where a cloud service is certified or validated for a given set of regulations, that doesn't mean that your environment in that cloud service will be compliant. As an example of how this can happen, the PCI Security Standards Council points out that validation may have included use of up-to-date anti-virus software on the cloud service provider's systems. However, this validation might not extend to the individual client operating systems or virtual machines.
Which regulatory requirements do you have to worry about in the cloud? The simple answer is the same ones that apply to you already. That's most likely to be one or more of:
- Sarbanes Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI- DSS)
- Federal Information Security Management Act (FISMA)
- Gramm-Leach-Bliley Act
- SB-1386
- European Union Data Protection Directive
- Traditional Application Service Provider (ASP) model where physically separate servers are provided for each client's environment
- Virtualized servers that are individually dedicated to a particular client, including any virtualized disks such as SAN, NAS or virtual database servers
- Environments where clients run their applications in separate logical partitions using separate database management system images and do not share disk storage or other resources
Nail Down Where Data Will Be Stored
Regulations such as the European Union Data Protection Directive place restrictions on where certain types of data can be stored and processed geographically. For example, it requires personal data to remain within the borders of the EU or a third-party country which offers adequate protection.That can obviously be a big problem if a cloud provider operates data centers around the world and stores your data in multiple locations. The good news is that all reputable cloud service providers are aware of the problem and offer geographical nodes that customers can select for their data to reside in.
The key thing, then, is to read the fine print to ensure that all your data stays in those geographical areas. Secondary copies, archive copies or other copies made by the service provider for redundancy, speed or other purposes, or to be stored with subcontractors, should never leave those areas.
Realize a Compliant Provider Won't Make You Compliant
Regulations may require that any cloud service provider you use is certified to be compliant with those regulations. But that doesn't mean using one also makes you compliant automatically. You still have to use the service in a compliant manner; it is your responsibility to ensure the provider maintains regulatory controls on an ongoing basis. And you still have to maintain compliance for your own IT operations which connect to the cloud service provider.Where a cloud service is certified or validated for a given set of regulations, that doesn't mean that your environment in that cloud service will be compliant. As an example of how this can happen, the PCI Security Standards Council points out that validation may have included use of up-to-date anti-virus software on the cloud service provider's systems. However, this validation might not extend to the individual client operating systems or virtual machines.
No comments:
Post a Comment