Compliance In The Cloud: Some Important Points

As more becomes known, the Cloud Computing model attracts more attention, but one of the challenges still unresolved is the issue of compliance. I’ve been thinking a bit about this and would like to share some thoughts with you.

The spread of the cloud services often collides with the regulatory aspects. Some national laws affect the privacy of data and creates limitations for foreign companies to use cloud providers. The Patriot Act empowers to require any organization to access your data, simply identify what information is relevant to an authorized investigation.

By using the services of certain providers of global cloud computing, that do not disclose where our data is stored, can be subject to local laws that conflict with our compliance objectives. For example, Indian companies do not store their data in data center located in USA because the Patriot Act directly conflicts with the demands of your privacy as defined by legislation.

Another important point is that although cloud is a model of outsourcing, responsibly end the compliance is the company that uses the cloud service provider and not the cloud. And depending on the layer of cloud services contracted for, the degree of responsibility and control can vary greatly. For example, when hiring a IaaS service, the provider can take responsibility to ensure the integrity and compliance, data center and its hardware platforms and basic software. Moreover, this provider has no way to know the applications of its users and therefore can not guarantee the compliance of the data from these applications. The control of adherence to the compliance rests solely with the user. Since hiring SaaS, the provider should take responsibility for compliance, since the user has no control over the application. But in both cases, the user is responsible for legal compliance and therefore must ensure that suppliers are adhering to avoid possible legal problems.

An example?

Imagine that the user should be adhering to the regulation PCI (Payment Card Industry Data Security Standards), and hires a cloud service. If the mode is IaaS engaged, the provider must ensure only the compliance of the infrastructure. The compliance of the application is on behalf of the user. But if contracting is for SaaS, the provider should also provide compliance in the application layer. But the user should ensure with evidence that the provider is really compliance.

Another question still open is whether the legislation achieves in other territories of a country or not. For example, debate whether the Patriot Act achieves data centers located in territories outside the U.S., where these data centers are owned by American companies.

What to do before these questions? Ignore cloud is not the best alternative. Arguably that cloud will enter the business. So the best alternative is to study the issue and put the company’s legal analyzing the issue. Carefully review the aspects of privacy, jurisdiction, facilities and external audit forensic investigations, data retention period for legal ability and verification processes. It is important to select cloud providers and work collaboratively with them on the issue of compliance. And analyze the level of compliance of providers is essential.

Let’s look, for example, and observe some interesting aspects:

a) Section 4.3 explicitly says “We Are Not Responsible for any unauthorized access to, Alteration of, or the deletion, destruction, damage, loss or failure to store any of Your Content or other looked Which date you submit in connection with or use your account or the Services.. ”

b) Section 7.2 states: “We Will Have No liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.

Note that these safeguards by the providers are relatively common. So, analyze the cloud providers regarding their level of compliance and certifications and whether they are adhering to the demands of your business. Professionals for information security audit should be enlisted to   help ensure the desired level of compliance. Store your data in encrypted form or create a private cloud hosted on a public cloud. Some providers allow this.

Finally, there is always what to do, but do not keep doubts and fears about the use of cloud computing that prevents you from moving forward.


Leave a Reply

Follow by Email