As companies in every industry become more data-driven, complying with regulations around data protection and security is increasingly a concern for all parts of the business – not just IT. As a small company or start-up, this can be a headache when you need to focus on your core business to make sure you stay successful. Already constrained in terms of human and capital resources, you’re unlikely to be able to invest significant time and money in developing your compliance strategy.
Regardless of what type of cloud your data sits in, you need to understand how and where it is stored, who can access it and how it is managed. There isn’t a “one size fits all” approach to compliance so the type of controls you implement will depend on regulatory requirements, your own business processes, priorities
Important considerations for remaining compliant
This is where a hybrid cloud approach can come in handy, as it gives you the flexibility to decide how and where to split your data and controls across private and public environments. For example, you may choose to hold your most sensitive data in a private cloud where you have more direct control over it – right down to who has physical access to the hardware.
However, no two public cloud vendors are the same so it’s important to consider your options. If, for instance, availability is your top concern for a workload you’re putting in a public cloud, you might consider a CSP based in a geographic area that has very low chances of suffering natural disasters.
A hybrid cloud approach also provides flexibility in the solutions your business deploys in
Building compliance into your cloud strategy
Good security doesn’t happen by accident or coincidence – whatever mix of private and public clouds you use, it’s important to dedicate the time and resource needed to make sure it’s handled properly. When it comes to compliance, the level of dedication needed can vary hugely from one regulation to the next. For example, the Healthcare Insurance Portability and Accountability Act (HIPAA), like Sarbanes-Oxley, is quite
On the other hand, EU companies needing to handle customers’ financial data after May 2018 must now ensure they meet the requirements of the General Data Protection Regulation (GDPR). This regulation is much less directive, simply mandating that regardless of size or age, companies operating in the EU are required to protect citizens’ data. It is not specific on exactly how this should be done, leaving it up to individual organizations to classify their data assets, identify vulnerabilities, monitor threats and apply controls. For example, GDPR outlines the concept of joint liability, which means that both the data controllers (those who acquire the data) and the data processors (those who manage and store the data) can be held responsible in the event of a data loss from a SaaS or cloud service provider breach. Federated identify and access management across private and public cloud environments is an effective way to do this, but it´s up to the organization to decide how to implement this option.
In the case of both of these regulations, the ultimate goal is to protect the data and identity of the individual, but the difference in their approach makes it difficult to have a standard compliance methodology even within one company. This
By adopting a hybrid cloud approach, you can select which data to keep in a private or public cloud environment, for example by choosing to keep personally identifiable information in a private cloud in order to maintain more control over how it is used, stored, accessed and destroyed. Meanwhile, you can also use pre-developed models and frameworks through the public cloud when possible, leaving headspace for in-house IT and security teams to focus on the most sensitive or important data that must be kept on-premises.
To learn more about hybrid cloud and how it can help your business succeed in an increasingly regulated world, watch this video. Or, read the Optimal Cloud Workload Placement Strategies to find out how you can evaluate and plan the best workload placement for your hybrid cloud environment.