3 Things to Consider When It Comes to Cloud Compliance
Among the new challenges and unsolved mysteries presented by cloud storage, how to maintain compliance in a cloud environment is one of the most daunting for firms in regulated industries like financial services and healthcare. The regulatory issues and security concerns that these firms already are dealing with are “amplified” in the cloud, as one security expert recently put it. Security, this expert concluded, is still playing catch-up with the rapidly evolving cloud service model—no small consideration for organizations that must keep their data protected and secure or suffer the regulatory consequences.
Thinking of leveraging cloud data storage in a regulated industry? Here are three things to think about that can help keep you in compliance:
- Manage the activities of those “shadow IT departments” within your organization—you know, the project team that decides to try out Google Docs, or the marketing department that opts for a new online collaboration tool. Years ago, storing data externally required a lengthy vendor selection and contracting process. Today, anyone in your organization can move data outside your organization in an instant by tapping into a cloud solution, unwittingly creating a compliance risk. Have a clear data storage policy that addresses cloud solutions, educate your people on it and enforce it.
- Choose a provider with care. Clearly, you’ll want to be very thorough in your due diligence in selecting a cloud service provider. If you’ve done any thinking at all about storing data in the cloud, you’ve probably considered that performance, reliability, security, cost and other factorsshould play heavily into your vendor decision. You might also want to seek out a vendor specifically compliant with the relevant regulations—Amazon Web Services for PCI DSS compliance, for instance. (Keep in mind the vendor’s compliance doesn’t automatically make you compliant, though.Also consider the existence of specialized cloud service providers whose sole purpose is to store data for one specific industry or another. These providers are well schooled in the practices and controls required to maintain compliance with industry-specific regulations. Bloomberg Vault, for example, stores messages for compliance demands for financial services firms, as well as offers real-time policy management searches and flags messages for compliance issues.
- Segment your data and use a tiered storage model. Some data just isn’t destined for the cloud. Do you feel 100% confident that you know where the cloud service provider is physically storing all of your data, how many copies have been made, whether data has been changed, if it’s completely deleted when requested, or whether it ever leaves certain countries or jurisdictions? Some regulations require that you can confidently answer a long list of specific questions about how your data is being managed in the cloud. If you want to gain the efficiency benefits of the cloud while eliminating these uncertainties, consider segmenting out public and non-public data. Public data could be stored in the cloud, while nonpublic data, such as personal health records, that must be stored for the duration can be archived securely, reliably and affordably in house on tape.
Clearly, firms in regulated industries have a lot to think about when it comes to the cloud. Time will tell whether cloud security becomes robust enough to erase compliance concerns, but for now the smart money is on a tiered storage strategy that aims to store the right data sets on the right storage media.