Coordinating Compliance in Your Hybrid Cloud

In the early days of cloud computing, regulators generally placed responsibility on the customer for compliance with data privacy rules. But regulators are getting savvy to the changing nature of the data center and are increasingly holding cloud providers accountable for protecting data, even if they don’t own it or even look at it.

That’s good news for you, the customer, but it also requires extra due diligence to make sure your service providers know the rules and stick to them.

Compliance standards for hybrid clouds are still inconsistent, but the trend is heading in the direction of shared accountability between cloud companies and their customers. Two of the largest regulatory bodies have acknowledged the shifting landscape:

• Changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 extended compliance rules beyond primary handlers of protected health information to cover “business associates” of those entities. In fact, the HIPAA Omnibus rule refers specifically to businesses that store protected information on behalf of their clients, whether they view it or not.
• The Payment Card Industry Security Standards Council, which essentially governs the entire credit-card industry, published a set of cloud security guidelines in 2013 specifically about cloud security. The 50-page document clearly states that “cloud security is a shared responsibility between the cloud service provider (CSP) and its clients.”

While these vertically focused regulations may not apply to your organization, there’s a good chance other U.S. agencies will follow the leads of HIPAA and PCI. If you operate in Europe, you’re no doubt already familiar with the stricter set of data governance rules that apply there.

Hybrid clouds complicate traditional regulatory guidelines because data and processes may move fluidly between on-premise and cloud platforms. In a “cloud bursting” scenario, in which overcapacity is relieved by automatically shuttling processing loads to the cloud, this procedure may even be automatic.

As you deploy more cloud services, you’re on the hook to ensure that all of your partners are compliant with all relevant regulations. Performing the necessary due diligence may not only avert a compliance problem but also buy you some air cover in case a violation occurs. Here are nine items to consider for your cloud compliance policy.

1. Establish clear data governance rules. Your first step should be to specify which data must remain within your internal infrastructure at all times. Describe that data in detail and designate the people who are responsible for ensuring its protection. (This step is important whether you use a cloud provider or not.)

2. Interview prospective vendors. While the biggest infrastructure and SaaS vendors pay close attention to compliance because of its importance to their business, smaller or vertically focused firms may not be as diligent with their compliance policies. Don’t just take their word for their claims. Ask about specific standards you’re required to meet. Test whether or not a prospective supplier can speak knowledgeably about them. Ask if there’s a person on staff who’s responsible specifically for compliance. If so, ask to speak to that person. If not, find out how the provider stays on top of changing regulations.

3. Require proof. Does the provider have a section of its website devoted to compliance practices? Have those practices been audited by an independent third party? If they have, ask for copies of those reports. If not, ask the provider to submit to an audit at its own expense. If they refuse, find another provider.

4. Opt for providers that use the platforms you do. This is a good rule of thumb for hybrid clouds in general. Using compatible operating environments ensures that you have optimal visibility into how your data is moved, stored, and processed. But be aware that cloud infrastructure has some unique characteristics.

For example, the multi-tenant architecture that providers typically use has many customers sharing the same physical servers using protected virtual machines. Be sure you’re comfortable with the mechanisms to prevent inadvertent crossover between tenants.

5. Review security standards and technologies of your cloud provider. Favor vendors whose published security practices adhere to Cloud Security Alliance or European Network and Information Security Agency guidelines. Compliance with well-established standards such as these can buy you some protection if a compliance issue does occur.

Pay special attention to authentication practices. At minimum, they should meet your own requirements. If they don’t, specify in the service level agreement (SLA) a deadline for when they will, as well as penalties for failure to meet your deadlines. Two-factor or biometric authentication is desirable. You might also consider asking the cloud provider to support authentication through your local directory so you have more control.

6. Ensure accountability. Your vendor should maintain detailed information about access controls, including permissions for each user. You may be required in an audit to show which users had access to a system at any given time, and what information they could see. Ask to examine examples of a prospective provider’s access logs. Many financial regulators give audited companies less than 48 hours to comply with records demands. If your service provider can’t meet those deadlines, it will end up being your problem.

7. Know where your data is.  Be sure the provider can house your data in a specific location and verify that location in the event of an audit. If the company has data centers in multiple countries, require guarantees in your SLA that data won’t cross borders without your permission. This is a particularly important requirement if you do business in Europe.

One technology that is increasingly being used by enterprises to secure data in the cloud across multiple locations is the cloud access service broker (CASB). CASBs allow for the centralized control and enforcement of security policies, ensuring that these policies are applied wherever the data is stored or shared and however it is accessed.

8. Use encryption. Data should never be stored or sent unencrypted. Ensure that you – not the provider – hold the encryption keys.

9. Revisit these rules annually. Regulations change and practices can become lax. Specify in your SLA that you have the right to perform your own audit of any of the above issues on short notice. Then put an entry in your calendar to test your provider’s readiness. If they take compliance seriously, they’ll be happy to hear from you.