Why Cloud Compliance Doesn’t Need To Be So Overly Complicated

Cloud Compliance 

Regulatory compliance is an issue that has not only weighed heavily on the minds of executives, security and audit teams, but also today, even end users. Public cloud adds more complexity when varying degrees of infrastructure (depending on the cloud model) and data fall out of the hands of the company and into the hands of the service provider. Additionally, the lines of responsibility between the service provider and the consumer remain blurred in most regulations, standards and frameworks though cloud has gone mainstream for even regulated workloads. However, in this era of business agility out we not to focus more on ways to relieve cloud audit burden?

It’s all About the Data

With end user digital empowerment and increased business agility it’s only to be expected that more rogue cloud services will abound. That’s where a more data-centric approach can reduce the risk of compliance violations of data being transacted or residing in rogue cloud services. In this data-centric approach users need to be:

1. Proactively educated about the value of data. Many when they provision rogue cloud services are often not aware of the value of the company data that they are farming out to public cloud models

2. Able to leverage an intuitive data classification scheme and easily digitally tag or watermark data accordingly

Organizations can also leverage one of the many cloud security brokers for the discovery, analysis and many of the policy enforcement aspects of their data across public Software as a Service cloud models.

Standards Evolution

Standards issuers have begun providing more concrete guidance and standards for cloud Service Providers and consuming organizations alike The International Organization for Standardization ISO/IEC 27018:2014 establishes controls and guidelines in for protecting Personally Identifiable Information (PII) in public clouds. The Payment Industry Data Security Standard (PCI DSS) Council has also issued guidance and so has the National Institute of Technology and Standards (NIST), with its Federal Risk and Authorization Management Program (FedRAMP). FedRAMP goes one step further in requiring service providers to obtain authorization in order to meet federal cybersecurity requirements for cloud services.

Harmonizing Compliance Efforts

Harmonizing regulations and standards to a common security framework can greatly benefit both cloud providers and consuming organizations. Cloud users no longer need to think of standards in a “one off” manner, but instead utilize a framework to essentially “audit once, report many times” given the great overlap between many of the standards, frameworks and regulations today.

The Cloud Security Alliance Cloud Controls Matrix cross maps several internationally recognized industry and regulatory standards against 16 domains based on critical areas of focus for cloud computing and while not intended to be a prescriptive framework, it has emerged as concrete guidance for all parties. The Cloud Controls Matrix also recognizes that controls apply differently across different environments and delineates controls not only by cloud model type (SaaS, PaaS, IaaS), but also recommends which fall under the service provider’s realm of responsibility versus the consuming organizations’.

As cloud audit processes mature, there is an opportunity to further streamline compliance and decrease complexity. A digitized cross mapping tool would be the next evolution and a great asset to both cloud providers and consuming organizations alike.

By Evelyn de Souza

Bruce Guptill

Resolving IT-Finance Asynchronization on Cloud Improvements

Resolving IT-Finance Asynchronization While CIO-CFO communications and alignment may never seem better, what is considered to be C-level, strategic “alignment” increasingly obscures realities that keep IT and Finance from synchronizing their thinking and activity. This ...
Kevin Julian

Patients Increasingly are embracing technology, and so must the pharmaceutical industry

Patients Increasingly Embracing Technology COVID-19 has driven home the need to use digital solutions more broadly, which means C-Suites may be turning to their CTOs for advice As lockdown restrictions went into effect due to ...
Juan Pablo Perez Etchegoyen

7 Security and Compliance Considerations for Cloud-Based Business Applications  

Security and Compliance Considerations There’s no doubt on-premises deployments of mission-critical business applications provide more control over data as it resides within the four walls of an organization’s network infrastructure. However, businesses can no longer ...
Jen Klostermann

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What are some of the key areas in the coming years ...
Hillary T

The Current Wave of Smart Home Technology

The Future of Smart Home Technology Some say the vision of smart homes kicked off with the invention of household machines in the early part of the 20th century, but the current wave of smart ...
Sebastian Grady

ERP Software License versus Cloud ERP SaaS Subscription ─ Pros and Cons 

Software License versus SaaS Subscription Your software is an asset. Software vendors such as Oracle and SAP are pressing customers to replace existing enterprise applications in order to move to the vendor’s new platform. Yet, ...