How can businesses in highly regulated industries ensure that their IT services remain industry compliant? The answer involves first understanding what compliance means, and then making sure that service providers are not only securing sensitive information, but also following required compliance policies and procedures.
The list of compliance regulations is getting longer: PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act of 2002), GLBA (Gramm-Leach-Bliley Act), and HIPAA Health Insurance Portability and Accountability Act of 1996), just to name a few.
While the acronym soup is confusing, the basic goal is simple: Regulators want to make sure that businesses put processes in place to protect personal information, especially items like account numbers, Social Security information, and credit card data. Usually, the regulations do not require that a specific technique, say using a firewall or a certain vendor’s product, be used. Instead, they provide broad guidelines that corporations can implement in various ways.
When IT examines cloud, the first compliance concern is where will the data be stored? Often, businesses feel more comfortable keeping information on site and under their own control. In this case, they have direct access and control of both the physical and logical infrastructure As a result, private and hybrid cloud models are popular starting points for businesses in highly regulated markets.
However, data does not sit idly in the data center, so the evaluation next shifts to how the information moves from user end points to the cloud. Increasingly, encryption, which renders data unreadable and unusable for the bad guys, is used to ensure that interlopers cannot grab sensitive information as it travels. Virtual Private Networks (VPNs) are popular with cloud because they open an Internet connection and encrypt data as it moves from place to place.
Relying on public cloud increases a business’s compliance monitoring duties because ultimately, the customer is responsible for any breach, even those at its provider’s site. So, what should the customer look for in public cloud services? Service Organization Control (SOC) reports are designed to ensure that businesses have not only secured information but also put reporting and auditing mechanisms in place that demonstrate compliance with existing industry rules.
Public cloud presents one more compliance caveat. In some cases, the cloud provider may farm some of its processing chores out to third parties, so the customer needs transparency and the ability to identify not only any subcontractors who have access to their data but also what steps they take to protect it.
Compliance is not a novel cloud concept. Businesses have developed policies and controls for their on-premises solutions. By extending those concepts to the cloud and addressing a few cloud-specific compliance issues, a company can be confident that its systems not only comply with industry regulations but also reap cloud benefits: less complexity, faster deployments, and lower overall management and operating costs.
