Organizations that accept credit and debit card payments or have access to cardholder data at any point must adhere to the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of that data.
Healthcare organizations and insurance companies must adhere to the Health Insurance Portability and Accountability Act (HIPAA) to ensure patient privacy and the proper handling of medical records.
Financial institutions must adhere to the Gramm-Leach-Bliley Act (GLBA) to ensure the security and confidentiality of their customers’ financial and personal information.
These are just three examples of how regulatory compliance can affect organizations of all sizes in various industries. Insert cloud computing into the equation and compliance tends to become much more complicated.
Cloud computing enables organizations to remotely store data and applications on shared servers owned by a service provider. Users access data and applications through the Internet on their computers and mobile devices, enabling them to leverage the provider’s technology. The cloud shifts the burden of purchasing, maintaining and securing technology to the service provider.
While the cloud delivers a number of business benefits, such as greater flexibility and the ability to quickly deploy new applications and services, regulatory compliance introduces a number of questions that must be answered before moving to the cloud:
- Is it possible to remain compliant in a cloud environment? If so, how?
- Is your service provider aware of and adhering to all compliance requirements?
- How do you distinguish between data owners and data processors?
- Where is your data located? What is the physical location of the provider’s data centers?
It’s important to understand how your industry’s regulatory requirements can be upheld in a cloud environment. Typically, when a security breach occurs, the victim doesn’t target the service provider. They target your organization. Consequently, you need to take steps to make sure your provider can maintain regulatory compliance.
For example, Sarbanes-Oxley (SOX) makes it clear that the organization is responsible for finance-related security breaches, even if the breach was caused by a third-party service provider.
Organizations can ensure their service providers are compliant by using a set of auditing standards called SSAE 16, or the Statement on Standards for Attestation Engagements 16. This is a written assertion that a company has adequate controls and processes in place to manage sensitive data and transactions. SSAE 16 includes a comprehensive description of the system, including data center technology and data protection policies.
Because service providers offer cloud services over the Internet and can store an organization’s data virtually anywhere, the geographic location of that data is a major concern. If your service provider is storing your company’s data in a different state or country, you need to make sure your provider is adhering to the data privacy and access laws of that particular state or country. While service providers aren’t bound by geography, it may make sense to work with a local provider if your organization is subject to regulatory compliance.
As your outsourced IT department, Atlantic-IT.net understands the perils of failing to adhere to government and industry regulations. That’s why we take the time to learn the ins and outs of your business, develop a strategic approach to cloud computing, and perform a cloud readiness assessment. Let us help you leverage the cloud without compromising regulatory compliance.