Last updated: 06 October 2016
According to Gemalto’s 2016 Global Cloud Data Security Study, 62% of IT pros say using cloud resources increases their compliance risk.
However, 54% don’t feel their organizations have a proactive approach to managing compliance with privacy and data protection regulations in the cloud.
Houston, we may have a problem.
With compliance and regional mandates becoming more complex and with more pressure to move workloads to the cloud to take advantage of performance, cost savings, and scalability, IT and security pros likely feel they’re facing an uphill battle. But, you’re not in this alone. There are ways that organizations – even in regulated industries – can maintain control, meet compliance and regulatory mandates, and say yes to the cloud.
First, let’s take a look at a few of the security issues IT teams will need to take into consideration before jumping on the cloud-first bandwagon.
1. Clarify security responsibilities
As you migrate regulated data to cloud-enabled environments, you’ll have to rely on your cloud service providers for at least some compliance measures. The respective roles and responsibilities you each take on will vary significantly depending on the cloud model you have chosen to deploy.
In an IaaS environment, you may be responsible for data protection and patching, while the cloud provider may be responsible for physical security, network segmentation, and isolating tenants in multi-tenant environments. Regardless of the cloud model adopted, you must remember you are ultimately responsible for your data.
Ensure the lines of responsibility are drawn clearly, and that any cloud vendor’s security measures are demonstrable and auditable.
2. Address implications of regional mandates
Many regulations that you must comply with are not only specific to a given region, but they stipulate where your sensitive information assets can – and can’t – reside.
If you work for a federal government agency in the United States, you will need to ensure the cloud provider won’t store or manage data in facilities outside of the country.
If you work for a healthcare provider in some European countries, you won’t be able to store patient data in the cloud – unless the provider’s facilities are located within the country’s borders.
3. Safeguard data privacy and trust
You must always have a clear understanding of how any regulated data may be retained when under the control of a cloud provider. If you terminate your contract, will the cloud provider retain your data until you’ve paid any outstanding invoices?
If your cloud provider is subpoenaed, will they hand your data over to legal authorities without notifying you? How are instances and virtual machine images that may contain your high value business assets destroyed by the cloud provider?
Make sure proper destruction of virtual machines and images containing your data is clearly defined.
In order to meet regulatory mandates in cloud-enabled environments, your organization must go beyond basic user access controls and proactively apply robust security policies.
Download our latest security guide, How Cloud Deployment Affects Compliance, to find out how to meet these objectives by protecting more data in more locations, centralizing control and visibility of your data, and ensuring compliance – even as mandates and environments evolve.