It could be argued that addressing compliance, or fearing a lack thereof, is the number one inhibitor preventing legacy users from committing to a cloud strategy. Research suggests 64% of organisations state addressing compliance and privacy issues as the biggest concerns associated with the cloud. Compliance in cloud terms relates to the industry standards and regulations that cloud users should comply with – this responsibility doesn’t exclusively fall at the feet of the vendor.
That’s not to suggest precaution here is unwise; there are strict legal parameters accompanying cloud computing or more specifically, how data is handled and protected in the cloud, and hefty penalties have been handed out by the ICO where these have been ignored or broken. However, most organisations can no longer afford to miss out on the efficiency and business growth offered through adopting the cloud, and when compliance in this field is broken down, it’s not as daunting as it may seem on the surface.
So, what are the threats and concerns that necessitate compliance in the cloud, and what provisions should you be taking? Which questions should be raised with your cloud provider and what are the specifics that need to be included in your Service Level Agreement (SLA)? In this post, we will highlight some of the ways you can help ensure your cloud environment mitigates risks and stays secure.
Cloud compliance is really nothing more than risk management – as implemented across any area of business. In this instance, it generally relates to putting in place the systems and processes to effectively manage the risks surrounding protecting data. The concept of allowing company and customer data to be processed and stored online in the cloud can be understandably disconcerting, especially given the online threat landscape.
The Internet represents an almost relentless avenue for exploits and attacks. Although the motives and techniques can vary, the aim is usually to compromise systems and data. Cybercrime damages could now reach $6 trillion by 2021, which would make it more profitable than the global trade of all major illegal drugs combined.
The threat landscape is dense, but with online applications and systems becoming increasingly complex and interconnected, security failures can also simply occur through human error and misconfigurations. Either way, the consequences for a hack or breach can be hugely damaging both operationally and financially. For example, GDPR guidelines can impose fines of up to 4% of annual turnover, or a fine of €20 million (whichever is greater). This is why cloud compliance is such a vital framework for any online business.
Following a thorough compliance framework will help to identify risks and enable you to take precautionary steps to reduce or omit them before they become a problem. However, first it’s important to understand the type of cloud services you are using. This will establish your data flows and determine where your data is located, who has access to it and ultimately who else shares responsibility for its security. Data sovereignty issues may come into play here – more on this later – but you should decide what data actually needs to be stored in the cloud.
Depending on your cloud environment, your compliance framework may extend across internal departments, external third parties, or both. If it applies to your partners, such as cloud vendors, it’s important they clearly demonstrate their own compliance around data and security in their Service Level Agreements (SLAs). This is usually reflected in compliance certifications such as ISO.
Compliance audits are a good way to ensure rigorous standards of security are maintained and upheld and provide a framework around which you can build compliant process and practice. If you haven’t already, consider deploying stricter access controls, multi-factor authentication, and encryption. These three security provisions will not only hugely decrease the vulnerabilities of your system, but also increase your chances of passing audits. Consider using cloud auditing tools to monitor, assess and secure your IT operations.
Depending on your industry, there may also be sector-specific security regulations to adhere to, such as healthcare for example which in the US must comply with HIPAA, or the Data Protection Act in the UK. Another common industry specific compliance requirement is disaster recovery – particularly for organisations handling Personally Identifiable Information (PII). Deploying a resilient data recovery solution, such as Secura’s Disaster Recovery as a Service (DRaaS), can be critical in passing compliance audits.
As mentioned earlier, it’s critical you know where your data is being processed, as it will be required to comply with the laws of that country – this is known as data sovereignty. For data transfers within the EU, the GDPR applies to data controllers and processors, meaning both you and your cloud provider must comply to GDPR guidelines. Data flows to non-EU countries must meet the required levels of data regulations, known as adequacy status – something the UK will seek to adopt post-Brexit.
Identifying and managing risks in the cloud is a shared responsibility. As a general rule, those using cloud-based resources need to ensure the security of everything within the cloud environment, and cloud providers need to ensure the overall security of the cloud environment itself. Ensuring outsourcing meets adequate standards is part of the due diligence process and the duty of the customer – bare this in mind when selecting or assessing a cloud service provider.
Here at Secura, we’re committed to offering all of our customers the highest possible standards of products and services and this is reflected in our industry best practice certifications. Our ISO certifications ensure our security, service management and business processes are continually updated and aligned with the latest industry best practice guidance and standards.
Our fully managed, enterprise grade security suite Web Protect offers enhanced protection to critical online applications. Web Protect seamlessly blends network security with web service protection technologies including DDoS mitigation, network intrusion and prevention, exploit, malware and virus protection, and powerful encryption. The Secura team configure, manage and monitor Web Protect to ensure your business is protected online.
“As technologies in this field grow increasingly complex, so too do the guidelines and regulations we all must adhere to. Despite the effort and financial impact it may take, it’s absolutely essential that we all remain compliant with industry regulations such as those through ISO – not doing so risks facing significant fines, and worst case scenario, puts you out of business. The challenge is often knowing what this entails and how to achieve it. So, start implementing the necessary procedures, or seek expert advice on addressing compliance issues. Secura would be happy to help with any queries or questions you may have.”
Eddie Beaton, Secura Chief Financial Officer.
The roles and responsibilities of adhering to compliance regulations can vary depending on your business, your industry and the cloud services you use. We strongly recommend discussing this with your cloud service provider or an expert to give you a clear understanding of the necessary precautions you should be taking – Secura would be happy to help.
If you have any other questions regarding Secura’s compliance certifications, or any of our other services, please don’t hesitate to get in touch.
Image credit: garagestock/Shutterstock.com
Matthew is Secura's content specialist, producing gripping, emotionally complex, edge of your seat, cloud hosting articles and videos.
Tweet me at:
@securacloud
