Today, cloud computing providers recognize the value of helping customers achieve compliance. The benefits of cloud computing are widely recognized, and that means that providers have been forced to pay more attention to compliance and helping customers achieve it. Therefore, processes in this area are improving. When an organization looks to move data to the cloud, but also needs to meet compliance regulations, it does take a bit of effort – but it’s worth it.
Compliance in the Cloud
When it comes to compliance in the cloud, there is responsibility on both sides. It used to be just up to the customer to meet requirements or make sure their provider complied, but now it’s up to both parties. Today, compliance guidelines are changing and are beginning to directly spell out safe usage of the cloud. For example, 2013 additions to HIPAA state that providers must also be HIPAA compliant, not just the organization itself. Additionally, PCI DSS now directly addresses cloud computing in its context.
Finding a Provider
During the research phase, businesses should look for a provider with a standards-based environment and a high-level security program that meets its exact needs. This means you need to look at the contract and Service Level Agreement. Look for a provider that is transparent and willing to answer any questions you have. They should be able to validate that they meet certain compliance requirements with proof, and should be able to tell you exactly where your data will be located. Many regulations require proof that your data is located in the United States, so it’s important to verify this fact with a provider.
You also need to look at access controls, because many regulations require you to prove how much access each user has, and how that access is maintained. A provider should have various level of access controls in place and be able to describe the separation of duties between the different levels. This is another important factor in complying with many regulations, like GLBA.
Multitenancy is a security barrier for many organizations considering the cloud. Some organizaions aren’t even allowed to use this type of environment, due to the regulations they face. Those that can must have a provider prove its security measures that prevent one customer from accessing another customer’s data. A provider should encrypt data in flight and at rest, and be able to share exactly how and when this encryption is applied.
A cloud provider really becomes an extension of a business’ IT department. This makes it very important to complete thorough research before choosing a provider. Discover a cloud provider’s security processes, incident response and disaster recovery procedures, issue escalation processes and more prior to committing. And once you have made your choice, regularly check in on your compliance, as policies will continue to change over time. Maintain open communication with your provider, and include your IT team in the conversation. 91% said that their cloud providers were making it easier for them to meet government compliance requirements such as PCI, HIPAA, and FISMA, so don’t let compliance stop you from taking advantage of the cloud.
Want to learn more about this topic? Our “Compliance in the Cloud” course dives even deeper into how cloud computing is affecting compliance. Additionally, we have courses on HIPAA and PCI DSS to help you understand those major regulations better.