Primer: Ensuring regulatory compliance in cloud deployments

Any company contemplating its cloud strategy must consider how to ensure compliance with industry and government regulations. HPE's Simon Leech explains how to ensure due diligence for the process from start to finish.

Anytime a business collects, stores, or shares data—which is every day—it needs to pay attention to how it protects that information. That’s important for the organization’s own needs; nobody wants a security breach. Companies also need to comply with local, national, international, and industry-specific laws. These regulations address everything from how healthcare organizations protect patient privacy to specifying in which countries data can be stored. For accountability's sake, organizations must document how they follow all these rules.

Industries like healthcare, insurance, and banking face especially strict compliance scrutiny because they work with financial data or personally identifiable information (PII). But even if you are in an “ordinary” industry, regulatory compliance remains a critical issue.

Compliance and security often are discussed in the same breath, as though the terms are synonyms. Security practices aim to protect corporate data by controlling how it is used, consumed, and provided. In contrast, compliance is a demonstration—a reporting function—of how a security program meets specific security standards such as PCI-DSS or legislation such as HIPAA and the Sarbanes-Oxley Act.

Coming soon: EU clamps down on privacy

The cloud makes compliance harder because data no longer resides exclusively within the company’s walls. It can be stored anywhere. In data protection terms that may be a good thing because data is accessible from one location when another is unavailable.

Varying locations add more complexity, given countries’ differences in data privacy legislation. “You need to understand what your cloud service provider is doing about data availability and data sovereignty,” points out Simon Leech, chief technologist for Hewlett Packard Enterprise’s digital solutions and transformation team.

If Yahoo’s recent breach had happened when the GDPR was in effect, the company’s fine could have been about $200 million

Simon Leechchief technologist for HPE’s digital solutions and transformation team

Foreign governments are taking a broader role in mandating data security and privacy standards, including the European Union’s upcoming General Data Protection Regulation (GDPR), which will replace the EU's 1995 Data Protection Directive. Every company that does business in the EU had best be ready for the GDPR's new data security requirements, says Leech, as the regulation's impact and potential large fines are sobering.

The new rules, which become law in May 2018, protect EU residents from privacy infringements wherever their personal data is stored, anywhere in the world, and the legislation applies to any company that stores or processes PII regarding EU citizens. “So even if you are a bank in Australia and you have customers in the EU, you need to think about GDPR,” says Leech.

Among the GDPR changes are increased fines for violating the data privacy protections laid out for EU residents (up to 4 percent of annual global revenue or a flat €20 million penalty, whichever is greater). There are also strict rules related to breach notifications when customers' personal information has been stolen or compromised.

 “If Yahoo’s recent breach had happened when the GDPR was in effect, the company’s fine could have been about $200 million, based on its revenue of $5 billion the year before,” says Leech. “If you are breached and found to be noncompliant, you will be fined.”

A critical step: Thorough due diligence

To ensure your cloud security is in good shape for regulatory compliance, you need to do more than create a long to-do list. The process includes asking difficult questions about the security processes in place and how they need to change in a move to the cloud (as well as who changes them). That’s particularly so when the answers define which parts of the workload should stay on premises and which can reasonably be deployed to the cloud.

“You can outsource parts of your IT operations, but you must maintain control and awareness of your risks,” says Leech. “Those risks remain your own responsibility. You have to know exactly what your cloud vendors will do if there is a problem.”

Organizations often rush out to the cloud without thinking through the consequences, says Leech. The process of due diligence—the care that a reasonable person exercises to avoid harm to others—is an important component in the adoption of any cloud strategy. “If you don’t do that, there will be problems with your legal compliance departments,” Leech adds.

How the right infrastructure can prepare your data center for business disruptors

Insufficient due diligence was ranked as the ninth most important cloud security concern on the minds of IT leaders, according to the Cloud Security Alliance, an industry trade group. The group’s February 2016 study, The Treacherous 12, also ranked the urgency of other cloud security issues, such as weak identity, credentials, and access management; insecure APIs; and system and application vulnerabilities.

We like to think that before any organization signs on with a business cloud provider, it looks at the provider’s past history as well as the promises the company makes to customers. Yet the same people who would never visit a restaurant that has poor Yelp reviews regularly commit their organizations to cloud service providers with weak security and privacy policies.

There are several items to analyze in evaluating cloud service providers, beyond pricing schemes. What does the cloud service provider promise in regard to security practices, regulatory practices, and privacy regulations? Examine the vendor’s proposed service-level agreements (SLAs) detailing what it will do to maintain your corporate data and applications. For example, Leech says he has never seen an SLA where a cloud service provider will accept responsibility when a hack occurs: “There’s always small print in there that all cards are off the table in that event.” Is that acceptable to your company? If not, what are you ready to do about it?

Some of these are general security issues, while others are particular to corporate compliance. A very short list of issues to consider, both in-house and on the part of any provider, includes:

  • What functions does the provider’s data center provide for reliability and access?
  • What disaster recovery practices are in place for data stored in the cloud?
  • Where is the data stored? How is it managed? How do these affect customers’ data privacy requirements and international regulations?
  • Which data privacy regulations apply to the business?
  • What compliance certifications has the cloud provider earned?

The environment where a provider stores data needs to be appropriate for security purposes, compliance purposes, and “regular” performance concerns. Cloud access security brokers (CASB) can assist in that endeavor, using policy enforcement points to combine and interject enterprise security policies as cloud-based resources are accessed. These can be used with private or public clouds to ensure that a company’s enterprise security policies are adhered to in all phases of the cloud infrastructure.

“CASB allows you to create policies and enforce them through the cloud service provider," Leech says. For example, CASB can permit users to employ Dropbox for downloads but not for uploads, or it would let you create a policy to allow users to access Skype for Business but not the standard Skype application. “It’s a good way of getting a grip on what’s happening,” Leech adds.

The compliance planning should include everyone who holds responsibility for the data, such as HR managers and external vendors the business relies on.

Ultimately, it all comes down to risk assessment. A due diligence process can help narrow down your company’s choices and help you identify the best vendors to fit your cloud requirements.

Cloud compliance: Lessons for leaders

  • Beyond your company's need to protect its proprietary information, you must consider what it would mean to an individual's personal privacy should you suffer a breach. What can you do to protect that information?
  • Even if your business doesn't feel a strong sense of urgency on these topics, it may not matter: International legislation and industry standards may force your organization to comply with the rules and demonstrate that it does so.
  • When you rely on outside partners for any part of your business process—such as cloud service vendors—you must ensure that the vendor is itself in compliance with every rule to which you must adhere. 

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.