It's possible to remain compliant and use public cloud storage, but companies should never forget that responsibility for compliance rests with them.
When it comes to public cloud compliance, different regulations exist for different industries.
To be sure, public cloud compliance is a thicket of complication, effected by myriad legislation. For example, the Health Insurance Portability and Accountability Act (HIPAA) is the granddaddy of healthcare-related legislation that relates to public cloud compliance. Payment Card Industry Data Security Standard (PCI DSS) oversees the credit card industry, while Sarbanes–Oxley (SOX) regulates the reliability of financial reporting by public companies and their accounting firms. The Gramm-Leach-Bliley Act (GLBA) administers a large set of compliance regulations for banks, investment institutions and insurance firms. And there are many more including US–EU Safe Harbor, ISO, FDA and a whole set of federal regulations around information processing, security management and risk management.
Even so, we can boil down public compliance standards to key similarities: Is the regulated data secure from digital and physical intrusion? Can you prove it with reports and audits? How can you verify environmental controls such as data location? How do you administer access control? When and where do you apply encryption? Can you verify data segmentation from non-regulated data or multiple tenants?
These questions and their answers are critical for on-site data storage, including on-premise private cloud infrastructure. But when you include public cloud compliance in the picture, you up the ante – and the complexity – on compliant data storage. And if a service provider restores compliant data for you on the public cloud, the complexity grows even larger.
However, going with a cloud provider may still be a good idea in terms of cloud scalability and efficient data storage, especially if you are not frequently restoring your data from the cloud.
HIPAA regulatory requirements differ depending on the "covered entity." This refers to the originating health care company whether it is using cloud storage for electronic health record systems (EHR) governed by HITECH, or backup data governed by HIPAA’s Data Backup and Disaster Recovery Specifications. The “business associate” label covers your cloud provider, who must also be in HIPAA compliance with technology, physical security and secure administration.
It is your responsibility to make certain that your business associate, whether a managed service provider (MSP) and/or a public cloud provider, offers and obeys a business associate agreement (BAA). You will see a number of ads from cloud providers on how HIPAA-compliant they are. They might even be right, but you still cannot afford to leave HIPAA compliance up to your provider. Even if they sell an excellent service to their customers, you are ultimately responsible with the compliance of your data online and off. And if your provider makes a serious mistake, that mistake may cost them — but it may well cost you even more.
To begin with, even though your cloud provider may claim to be HIPAA-compliant, the U.S. Department of Health and Human Services recognizes no one as such. They have no such compliance list. One cannot blame them: it is each company’s responsibility to understand the compliance regulations and to stick to them, and to make sure that their provider does also.
Here are the top compliance-related questions to ask your public cloud provider or MSP who offers public cloud services:
The sobering news is that you are still ultimately responsible for your data’s compliance, including holding cloud providers to their service agreements with you. Your provider may be subject to fines in case of their noncompliance, but that will not keep you from paying non-compliance-related fees as well. You are also responsible for keeping up with changing regulations and making sure that your provider does too. The more experience and expertise the provider has with regulations the smoother this dynamic process will be.
Finally, remember that the cloud is never all or nothing. If you are uncertain that your cloud provider can give you the level of compliance you need for critical data, then don’t use the cloud for that. Consider using it for compliant backups instead, or not at all – wait until cloud providers offer more complete compliance measures. There is a lot of money for them in improving their compliance offerings, so even if you decide not to take advantage of the public cloud at this point, you may well in the near future.
Photo courtesy of Shutterstock.