Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure
- What does the agreement look like? HIPAA closely regulates business associate agreements, known as BAAs. Always include a BAA in your HIPAA compliance contract with your cloud provider. These agreements are readily available with major cloud providers such as AWS, which offers plans for both production and secondary data subject to HIPAA regulations. Be aware that HIPAA regulations for the cloud will change according to the nature of the data. BAAs for active computing data or big data analysis will reflect this type’s greater priority and activity than secondary cloud storage. This holds true with other regulations as well. Although they may not have HIPAA’s specific BAA requirements, you will still need to run audits and reports on your regulated data in the cloud. For this reason, Microsoft Azure added an auditing feature for SQL databases running on Azure.
- Is there segmentation in multi-tenant environments? A multitenant environment is not by definition non-compliant, but it does require security features and segmentation. Let’s contrast two environments, which at first glance seem quite similar. Both providers advertise themselves as PCI DSS compliant. Both environments are multi-tenant and both run client VMs on compliant hypervisors. So far, so good. However, in the first case the cloud provider separates clients using logical and physical controls. The second environment offers a service model that leaves VM administration to customers, so clients cannot verify segmentation. In the second case, neither the provider nor the client are in compliance.
- How and where do you use encryption? Even with verified client segmentation, the company should have an agreement in place where their data is encrypted. Know what type of encryption your providers use and how and when they apply it, and don’t forget to encrypt your data-in-transit as necessary.
- How good is your access control? When your data is on site, you need to practice verifiable access control. Your cloud provider is no different. When you first speak to your provider about a compliant data environment, make certain that you understand what their policies are for user access control. Definitely understand what their access control policies are for their staff and your data. Be certain that they can and will regularly audit your data’s access control for compliance reporting purposes.
It’s Still on You
The sobering news is that you are still ultimately responsible for your data’s compliance, including holding cloud providers to their service agreements with you. Your provider may be subject to fines in case of their noncompliance, but that will not keep you from paying non-compliance-related fees as well. You are also responsible for keeping up with changing regulations and making sure that your provider does too. The more experience and expertise the provider has with regulations the smoother this dynamic process will be.
Finally, remember that the cloud is never all or nothing. If you are uncertain that your cloud provider can give you the level of compliance you need for critical data, then don’t use the cloud for that. Consider using it for compliant backups instead, or not at all – wait until cloud providers offer more complete compliance measures. There is a lot of money for them in improving their compliance offerings, so even if you decide not to take advantage of the public cloud at this point, you may well in the near future.