Ensuring data security and regulatory compliance in the cloud
Many business solutions are migrating to the cloud due to the flexibility, scalability, and cost-saving features it offers. However, while moving to the cloud, data, systems and services can be exposed to serious security and compliance challenges. Hence the necessity to ensure that your information and data remain compliant with the laws and regulations of your industry.
Key compliance strategy questions
- What will be kept on-premises and what information will move to the cloud?
- What will be required of your Cloud Services Provider (CSP)?
- What terms and conditions will be written into the SLA(s) to remain compliant?
Existing federal laws such as HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act), and the PCI DSS (Payment Card Industry Data Security Standard), have already prompted questions like these from many business sectors.
Wider data privacy laws like the GDPR and the new California Consumer Privacy Act (CCPA) are now placing more regulatory pressure than ever before on every sector. Compliance can also be more challenging and complicated in cloud environments:
“The cost benefits for cloud service providers come from the ability to scale multiple clients across shared resources. This can make compliance difficult as regulations often require encryption, auditing, and data separation, which increase hardware requirements and limits resource sharing. These additional requirements may increase the cost of the cloud solution to the point where it is no longer a good business decision,”
Joseph Granneman, Information security professional
Understanding business needs and challenges
Migrating to the cloud can increase an organization’s ability to achieve its business objective, but also increases the complexity for delivering services securely to clients. Due to the interconnected nature of the cloud environment, a malicious attacker can potentially gain access to a number of systems.
When considering your cloud architecture, it’s important to have a very good cloud compliance mechanism in place to reduce the complexity and associated risk. A proper foundation is a must to achieve a balance of IT policies that are appropriate for both internal line-of-business experiments and agile applications that are intended to transform your business.
Maintaining the confidentiality, integrity, and availability of data has become the most prominent requirement for business, and CSPs are rushing to harden security. For example, Microsoft recently introduced shielded VM deployments to protect cloud-based servers from theft attempts and hyperjacking.
Ensuring security in the cloud
Effective data security in the cloud requires the combined efforts of both the client and the CSP. Key components of your compliance strategy should include:
- Credential management: Thoroughly vet and periodically review your long-term strategy for securing your infrastructure from phishing, ransomware, natural, and human-made disaster threats (especially in healthcare environments) with the help of credential management tools.
- Encryption: File-level encryption is a comprehensive encryption approach in cloud security efforts.
- Advanced endpoint security: A firewall and advanced endpoint security solutions should be deployed to protect the IaaS and PaaS based cloud models along with the end-user devices which are accessing these cloud resources.
- Security Guidelines and Best Practices: Security best practices should be followed when designing, deploying, and managing cloud solutions with Azure.
Ensuring regulatory compliance in cloud
As more standards have been developed, it has become more challenging for businesses to remain compliant. Most regulatory compliance standards were not specifically developed for cloud computing but they are now applied to cloud architectures. These standards include:
- FedRAMP: A US-government standardization approach that offers authorization, security assessment, and monitoring of cloud services and products.
- California Consumer Privacy Act (CCPA): A state regulation which will be enforced from July 1 this year and applies to any business which handles the data of Californian residents, even when the business is outside California. It moves the maintenance of reasonable security procedures and practices for data from good business sense to a legal requirement in order to avoid a fine or civil action.
- General Data Protection Regulation (GDPR): A European regulation that aims to strengthen and unify an individual’s data protection in the European Union and affects all organizations that store the personal data of individuals living in the EU. Even Non-EU CSPs and service providers are liable for rule violations and other data breaches under this sweeping regulation.
- Sarbanes-Oxley Act (SOX): A standard which works to protect shareholders and the general public from fraudulent activities and accounting errors. This law also provides guidelines on storing business data in IT and cloud systems.
- Health Insurance Portability and Accountability Act (HIPAA): A standard which helps to maintain and protect medical records (including data privacy and confidentiality of patients).
- Payment Card Industry Data Security Standard (PCI DSS): A set of rules created by Visa, MasterCard, Discover, and American Express in 2004 to ensure the security of credit, debit, and cash card transactions.
- Federal Information Security Management Act (FISMA): A US standard signed into law in the Electronic Government Act of 2002 that protects government information and assets against natural or human-based threats.
Cloud and on-prem solutions
Businesses are digitally transforming and expanding to the cloud, and protecting both physical and virtual assets from threats is becoming more challenging and complex. Risks such as phishing attacks, ransomware, natural, and human-made disasters can threaten the viability of any organization. Businesses need monitoring, management, and security solutions that effectively address both on-premises and cloud environments.
Brad Watson is B2B Ambassador at KiZAN, a Microsoft Gold Partner located in Louisville, KY, and Cincinnati, OH, which provides innovative digital transformation solutions. Its Azure Cloud Services experts help businesses remain compliant when they migrate to the cloud. To find out more, visit Kizan.com.