Estimated reading time: 3 minutes, 4 seconds

The Complications of Regulatory Compliance in the Cloud Featured

"simply books." "simply books."

Migrating a portion of your IT systems or infrastructure to the cloud can provide many financial and operational benefits to your organization. These advantages are often accompanied by an increase in the complexity of your computing environment. Ensuring data security and regulatory compliance is an aspect of your enterprise’s responsibilities which may be complicated by your move to a cloud provider.

Cloud Compliance is a Shared Responsibility

Introducing a cloud service into your compliance landscape implies sharing the responsibility for the security of sensitive data to comply with regulatory requirements. The specific service that an organization opts for will have an impact on where the line is drawn concerning the provider’s duties. An Infrastructure as a Service (IaaS) offering requires more involvement from the customer when compared to a Software as a Service (SaaS) engagement. 

There is a general framework that defines the different tasks of the cloud provider and customer. Here is an overview of the Shared Responsibility Model employed by Amazon Web Services (AWS).

Cloud provider 

In the shared model the service provider is responsible for the “Security of the Cloud”. This entails protecting the infrastructure which is used to fulfill the customer’s contracted services. This includes both hardware and software components under the control of the cloud host that are part of a customer’s service offering. The security of the storage, networking, database, and compute functions powering a customer’s cloud instances are expected to be maintained by the provider. 

Customer 

“Security in the Cloud” details the functions to be performed by the cloud customer. While this can vary depending on the cloud model which has been implemented, customers are generally tasked with the security of the systems that are running on cloud platforms. They are responsible for identity and access management, configuration of operating systems and network firewalls, and encryption throughout the environment. This includes network, client-side, and server-side encryption.

There is some overlap where the onus of responsibility may not be as clearly defined as one may like. For instance, networking is a shared responsibility. In the event of an intrusion into your systems that causes a data breach and compliance penalties, it may be difficult to pinpoint who is responsible for the security failure. 

Essential Components for Cloud Compliance

The shared model opens the door for misunderstandings regarding each entity’s role in securing the cloud environment. Let’s look at some points to consider if cloud compliance is important to your organization.

The cloud model in use - Using a private cloud reduces some of the complexity of dealing with a partner, but may not be the most economically or technologically feasible way to proceed. Careful consideration needs to go into planning for the move to the cloud to fully understand the lines of responsibility and their security implications.

The ability to meet SLAs - You need to have a firm understanding of how the service provider intends to meet your compliance requirements. Roles and responsibilities need to be clearly defined. You provider must be able to meet the demands of the regulatory requirements by which you are operating and be flexible regarding changes that may need to be addressed to maintain compliance.

Encryption - Protecting your digital assets is a major impetus of compliance requirements. If your provider is involved in the encryption process, you need to fully comprehend the details of their implementation to ensure it meets your needs.

In the current environment that stresses regulatory compliance, you are responsible for ensuring that your data is secure. Understanding how your cloud provider impacts that security is key to remaining compliant in the cloud.

 

 

 

 

Read 2890 times
Rate this item
(0 votes)
 Robert Agar

I am a freelance writer who graduated from Pace University in New York with a Computer Science degree in 1992. Over the course of a long IT career I have worked for a number of large service providers in a variety of roles revolving around data storage and protection. I currently reside in northeastern Pennsylvania where I write from my home office.

Visit other PMG Sites:

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.