Your company's cloud compliance responsibilities must be considered when you adopt a cloud computing strategy.
As soon as you move some of your enterprise's operations into the cloud, everything changes instantly – including your company's regulatory compliance landscape. Everything your company did for compliance before joining the cloud must be reviewed, checked and rechecked to ensure continuing compliance, and anything that fails to meet its requirements must quickly be resolved and brought back into compliance.
Because the cloud gives you the ability to store and use your applications and data elsewhere, the cloud compliance and security rules your company is required to meet must be maintained, no matter where your applications, data and systems are located.
This relates to whatever regulatory compliance rules your business must meet, from HIPAA to PCI-DSS to FISMA and others.
Tips for Evaluating Your Cloud Compliance Requirements
So where do you start your cloud compliance and security evaluations?
- First, though having "shared responsibility" with cloud vendors for your company's critical data and security makes for a good sound bite, ultimately you must remember that it is truly your responsibility alone, so be sure to choose your partners very wisely. The full responsibility for that data – including private customer information, corporate data, employee data and more – will always in the end be your responsibility, regardless of your partners and cloud providers. Be sure to take this to heart in everything you do. Microsoft and AWS offer descriptive guides to evaluate the details of such responsibilities.
- Know where your data is located. Ask lots of questions of your cloud vendors and IT department. Know what is where, what can be kept in which locations and know that you are complying with all related rules. Leave nothing to chance.
- Know what the regulatory compliance requirements are wherever your data and applications are located so you can ensure compliance. Rules can be different in different locations. Be certain that all rules are being met in every place your critical data is stored or being used.
- Encrypt your data using the highest encryption standards wherever it is stored and while it is in transition from place to place. Encryption is mandated. Do not take this lightly or fail in meeting this responsibility.
- Ensure that all data and cloud access controls are hardened to deter attacks. Be sure all patches and fixes are quickly installed as needed and be sure that all systems and personnel are up to date to thwart attacks.
- Update compliance monitoring requirements regularly and then audit the requirements to be sure they are being met. Ensure the accurate keeping of log retention records, while complying with firewall compliance rules and standards for your cloud environments, including AWS and Azure compliance.
- Constantly scour and update your company's applicable cloud compliance standards to be sure that your operations meet your responsibilities.
Achieving Compliance and Maintaining Security in a Fluid Cloud Environment
In a recent guest opinion column on CSOonline, Vibhuti Sinha, the chief cloud officer at cloud security and identity governance vendor, Saviynt, wrote that achieving compliance in the cloud requires a different way of looking at things, due to the fluid nature of how data is constantly stored and shifted.
"As organizations continually move their workloads on cloud platforms, they need to ensure their data, workloads and processes meet compliance requirements," he wrote. "Traditional mindset to achieve compliance on cloud is the biggest hurdle organizations face and to overcome the same requires a perspective change."
A major challenge for enterprises, he argued, is the idea that "shared responsibility" for cloud data can lead to "critical security gaps on their cloud assets, [by] assuming it's the cloud service provider's responsibility leading to potential breaches."
At the same time, depending on the type of cloud service being used, the regulatory compliance rules can be different, which requires businesses to take great pains to ensure they are meeting all necessary rules, regardless of whether they are using a SaaS or IaaS or other cloud platform, he wrote. "For example, data-at-rest encryption requirements to meet compliance objectives on a SaaS platform as compared to an IaaS service has different responsibility models and implementation sets," he explained.
Maintaining cloud compliance once your company brings workloads and data to the cloud is a critical responsibility that must be planned, tracked and monitored throughout your organization.
The cloud can be instrumental for your business, but using it also means you'll need to take additional steps to ensure that your company's critical compliance responsibilities are met wherever your data is located.