Companies, especially those in highly regulated industries, must comply with a wide -- and growing -- list of regulations. If companies fail to ensure that their information security policies and IT systems comply with these guidelines, they face fines and other sanctions. For industries such as financial services and healthcare, regulations include PCI DSS, SOX, GLBA, HIPAA and HITECH, and they all offer specific guidelines on handling personal information.
Compliance is a moving target.
The cloud places new elements in the compliance equation. To protect themselves, companies need to ask the right questions and do more than just a surface evaluation of cloud computing compliance requirements.
Check for any regulation updates. Compliance is a moving target. The Health Insurance Portability and Accountability Act (HIPAA) passed in August 1996, has been refined more than a dozen times. One change expanded reporting requirements from just company employees to business associates, such as any third-party contractor. Consequently, a company must understand how it secures information and how employees use it. The company also is responsible for knowing how its partners' systems are set up and what they do with confidential information.
Assign the value of information. Not all information is valued similarly; so before moving to the cloud, a firm should first conduct a data evaluation and assign different values to its information. For example, your company's address does not have to be safeguarded as much as your customer's address, so the latter would have a higher value. In some cases, organizations may decide that some highly confidential data always will remain on-premises instead of on a public cloud. For data that will move to the cloud, a business needs to work with its cloud provider to establish sound procedures.
Understand where exactly data resides. One challenge with cloud is its often nebulous design. Information can be stored in a variety of places and vendors often have multiple data centers. In certain cases, the main data center houses a "pointer" to the record rather than the record itself. It's vital to know where your data resides. Ensuring data protection means answering these questions: Who is able to see it? Who manages it? How is it managed? What is the backup process? Where and how is the backup data stored? Is the information segregated from other organizations' information?
Know details about your encryption service. Just about all cloud services include encryption, but encryption services are not all the same. While protecting information as it moves from place to place is a good starting point, it is often not enough. A company needs to make sure that data is protected as it rests on a storage spindle. The requirement to have information encrypted at all times needs to be included in the service-level agreement.
Take a look at disclosure policies. A security breach at national retailer Target exposed private information of more than 100 million customers. The problem with Target was not just its data protection system, but that the company withheld the incident from the public for a period of time. Know your disclosure policies. There are regulations around reporting that a cloud vendor -- and subsequently your company -- must comply with regarding your customers. While a short lag period is typical as the company tries to sort out a problem, if it drags on, the delay could create compliance issues.
About the author:
Paul Korzeniowski is a freelance writer who specializes in cloud computing issues. He has been covering technology issues for more than two decades, is based in Sudbury, Mass., and can be reached at [email protected].