04
May

Cloud And Adherence (Compliance) The rules And Laws

As more becomes known, the Cloud model attracts more attention, but one of the challenges still unresolved is the issue of compliance. I’ve been thinking a bit about this and would like to share some ideas with you.

The spread of the cloud services often collides with the regulatory aspects. Some national laws such as the USA Patriot Act, affect the privacy of data and creates limitations for foreign companies to use cloud providers with data centers located in USA.

The Patriot Act empowers the FBI to require any organization to access your data, simply identify what information is relevant to an authorized investigation.

By using the services of certain providers of global cloud computing, that do not disclose where our data is stored, can be subject to local laws that conflict with our compliance objectives.

For example, European companies do not store their data in data centers located in U.S. territory because the Patriot Act directly conflicts with the demands of your privacy as defined by legislation (EU Data Privacy Initiative).

Another important point is that although cloud is a model of outsourcing, responsibly end the compliance is the company that uses the cloud service provider and not the cloud. And depending on the layer of cloud services contracted for, the degree of responsibility and control can vary greatly.

When hiring a IaaS service, the provider can take responsibility to ensure the integrity and compliance, data center and its hardware platforms and basic software. Moreover, this provider has no way to know the applications of its users and therefore cannot guarantee the compliance of the data from these applications. The control of adherence to the compliance rests solely with the user.

With the hiring of SaaS, the provider should take responsibility for compliance, since the user has no control over the application. But in both cases, the user is legally responsible for compliance and should therefore ensure that suppliers are adhering to avoid possible legal problems.

Imagine that the user should be adhering to the regulation PCI (Payment Card Industry Data Security Standards), and hires a cloud service. If the mode is engaged with IaaS, the provider must ensure only the compliance of the infrastructure.

The compliance of the application is on behalf of the user himself but if contracting is for SaaS, the provider should also provide compliance in the application layer. But the user should ensure with evidence that the provider is really compliance.

Another question still open is whether the laws of a country reaches other territories. For example, debate whether the Patriot Act achieves data centers located in territories outside the U.S., where these data centers are owned by American companies.

What to do before these questions? Ignoring is not the best alternative since the cloud has undoubtedly entered the business. So the best alternative is to study and legally analyze the issue.

Carefully review the aspects of privacy, jurisdiction, facilities and external audit forensic investigations, data retention period for legal ability and verification processes. It is important to select and cloud providers and work collaboratively with them on the issue of compliance.

Finally, there is always what to do, but do not keep doubts and fears about the use of cloud…

ESDS

Leave a Reply

RSS
Follow by Email