Compliance in the cloud refers to the process that monitors controls and provides reporting, while retaining evidence of compliance with legislative or industry mandates and internal policies. Important to bear in mind is that compliance requirements are country- and industry-specific. Cloud computing represents a new paradigm, but like the platforms before, cloud will not replace everything. The question to ask is, what parts of a company's technology and data portfolio should exist in the cloud?
Samresh Ramjith, CTO of security solutions at Dimension Data, says managing risk and compliance in the cloud has become increasingly important as businesses experience a higher incidence of identity theft and cybercrime involving employee and customer data.
"Publicly-traded companies and organisations that hold sensitive and confidential information need to take a strategic approach to managing information security in order to comply with due care and due diligence mandates. A specific compliance requirement may be the physical location of the company's data, also known as data domicile. Information stored on servers physically hosted in other countries will automatically be subject to privacy laws that apply in that country. This legality must be factored into the cloud provider selection process to mitigate potential data disclosure risks," he says.
The introduction of privacy legislation compliance makes businesses accountable for security breaches and any resultant loss of data. This also affects the creation and location of data, where it's stored and how it's eventually destroyed. The nexus of this data ownership and access allows reporting on where company data lives, who has accessed that data, whether specific private data is in a geo-location it shouldn't be, knowing about potential data loss, and what compliance it may be subjected to.
In the public cloud, there are numerous security issues that relate to governance, including inadequate, inflexible or non-existent cloud service level agreements (SLAs). This is in addition to unclear long-term return on investment (ROI) and the inability to monitor costs between billing cycles, as well as unclear compliance standards and auditability.
"Security in the cloud is especially of concern for e-commerce merchants and healthcare organisations that need to be PCI or HIPAA compliant. Insecure interfaces and APIs are top security compliance threats for cloud computing. Since cloud services rely on APIs for many of the management functions, there is more complexity and risk. There is also an added element of risk with shared services and the move to virtualisation, including possible data loss or leakage," Ramjith says.
Recommendations for successful public cloud migration start with defining a vision that supports the current and future business drivers. Design an architecture that supports the vision independent of technology products, and ensure that the resulting services delivered from this architecture meet the vision's requirements. It's also imperative that IT departments are able to support the end-user availability and performance requirements. Finally, map the technology offerings that best fit the architecture and service framework to an operational configuration.
