Compliance in the Cloud: How to Cover Your Bases

Compliance in the Cloud: How to Cover Your Bases

By Special Guest
Geoff Waters, Vice-President, Service Provider Channel, VMware
  |  January 30, 2017

Regulatory compliance today is more burdensome than ever, and not just in heavily regulated industries like healthcare and payment card processing. In fact, in PricewaterhouseCoopers’ (News - Alert) 2016 CEO Survey, 79 percent of respondents said they were either “somewhat concerned” or “extremely concerned” about the impact that over-regulation might have on their organization’s growth prospects.

Adding to these concerns is the growing urgency of digital transformation. In the past, planning for compliance used to be the role of legal or corporate security departments. Today the burden is increasingly falling on IT, as digital systems become central to modern business.

And that’s no light burden, particularly in this age of mobility and cloud computing. These technologies – while essential – present challenges for IT security teams because they move data outside the confines of the data center, beyond the reach of traditional security policies and controls. That goes double for global companies with data located in multiple geographic regions, giving rise to issues of data sovereignty, where data may be subject to additional regulations for the foreign jurisdiction in which it resides.

Geoff Waters

It’s a landscape that’s fraught with peril, and for this reason many organizations look to their cloud service providers to guide them along the right path. There’s no shortage to choose from – for example, the VMware vCloud Air Network alone consists of more than 4,000 providers offering a range of cloud services. But how should organizations that are still early on their cloud journeys go about choosing a cloud provider that can meet their compliance needs? Here are some best practices to keep in mind when selecting a partner:

1. Conduct an internal compliance assessment. You can’t know what to look for before you truly know what you need. Make sure you understand what specific regulations are pertinent to your geographic region, industry and organization, and take stock of your existing compliance policies and procedures. The better you understand your current position with regard to compliance, the better you will be able to articulate your needs to a potential cloud service provider – and you’ll also be in a position to negotiate better terms.

2. Map your compliance efforts to what the cloud vendor offers. Moving to the cloud shouldn’t require a radical shift in your current compliance policies, practices, and controls. Particularly in a hybrid cloud environment, it’s important to have parity between the on-premises data center and the cloud. Choosing a cloud provider that uses the same underlying virtualization software stack as what’s currently deployed in your data center, for example, can go a long way toward simplifying and clarifying your compliance efforts.

3. Look for vendors that are certified for appropriate standards. Many regulations include accompanying standards. For example, global companies must ensure their information security systems comply with ISO 27001, a standard published by the International Organization for Standardization (ISO) in 2005. Choosing a cloud provider that has been certified to offer compliance with this and similar, applicable standards can help streamline the process in the event of a compliance audit.

4. Take heed of the needs of your specific vertical. If you are in a highly regulated industry, you’ll want a cloud provider with specific vertical experience. Often, regulations that govern these industries may have been written before the advent of virtualization and cloud technologies – for example, those relevant to the Food and Drug Administration or financial IT audits. That can leave gray areas where compliance is concerned, and you’ll want to be sure your cloud provider has the expertise necessary to help you navigate the nuances.

5. Bring in some help. It’s often a good idea to bring in an independent auditor to help plan your full compliance lifecycle. In particular, an experienced auditor can help negotiate the service-level agreement (SLA) with your prospective cloud service provider with respect to compliance. In return, your cloud provider should provide documentation describing how it will meet those agreements, including what systems – such as access controls and encryption – are employed and how the responsibility of compliance processes will be shared.

There’s no denying that today’s complex IT environments create new compliance headaches. In many cases, the relevant regulations were drafted long before modern technologies were even available. Consider, for example, that HIPAA was enacted a full 10 years before Apple unveiled the first iPhone (News - Alert) and Amazon launched the AWS Cloud.

Nonetheless, regulatory compliance is essential to business today, just as mobility and cloud computing are essential to IT today. The two needn’t be mutually exclusive. Given careful planning and the input of a trusted cloud provider partner, it’s possible to minimize the risk associated with compliance while still taking advantage of all that the mobile, hybrid cloud model has to offer.

Edited by Stefania Viscusi