Creating a Compliant Hybrid Cloud

As companies in every industry become more data-driven, complying with regulations around data protection and security is increasingly a concern for all parts of the business – not just IT. As a small company or start-up, this can be a headache when you need to focus on your core business to make sure you stay successful. Already constrained in terms of human and capital resources, you’re unlikely to be able to invest significant time and money in developing your compliance strategy.

In this case you may choose to turn to a third-party cloud service provider (CSP) and rely on them to do the worrying and the legwork for you. However, using a service from a CSP does not mean you are automatically meeting your compliance requirements. For example, a CSP may ensure its service aligns with the specific requirements of the Sarbanes-Oxley Act , which regulates corporate financial practice in the United States, but stops a long way short of protecting your data against security threats.

Regardless of what type of cloud your data sits in, you need to understand how and where it is stored, who can access it and how it is managed. There isn’t a “one size fits all” approach to compliance so the type of controls you implement will depend on regulatory requirements, your own business processes, priorities and culture. Even when you have ticked the compliance box, you may need to additional business rules to bridge the gap between compliance and full security.

Important considerations for remaining compliant

This is where a hybrid cloud approach can come in handy, as it gives you the flexibility to decide how and where to split your data and controls across private and public environments. For example, you may choose to hold your most sensitive data in a private cloud where you have more direct control over it – right down to who has physical access to the hardware. Meanwhile you may put related but less sensitive data in a public cloud where you can benefit from pre-developed compliance models and frameworks as well as other advantages like lower costs and easier scalability.

However, no two public cloud vendors are the same so it’s important to consider your options. If, for instance, availability is your top concern for a workload you’re putting in a public cloud, you might consider a CSP based in a geographic area that has very low chances of suffering natural disasters.

A hybrid cloud approach also provides flexibility in the solutions your business deploys in unique region. Most likely, you have customers all over the world, so it’s important to remember that regulations vary from one geography to the next, and a perfectly compliant approach to handling your data in your home market may need to change in order to make it compliant somewhere else. Be sure to check the requirements for every region and leverage a hybrid cloud to demonstrate that your controls are in line with local requirements.

Building compliance into your cloud strategy

Good security doesn’t happen by accident or coincidence – whatever mix of private and public clouds you use, it’s important to dedicate the time and resource needed to make sure it’s handled properly. When it comes to compliance, the level of dedication needed can vary hugely from one regulation to the next. For example, the Healthcare Insurance Portability and Accountability Act (HIPAA), like Sarbanes-Oxley, is quite proscriptive in the requirements it lays down for organizations holding individuals’ healthcare data. Guidelines and frameworks are provided that make it clear how an organization should go about ensuring that their controls are up to par.

On the other hand, EU companies needing to handle customers’ financial data after May 2018 must now ensure they meet the requirements of the General Data Protection Regulation (GDPR). This regulation is much less directive, simply mandating that regardless of size or age, companies operating in the EU are required to protect citizens’ data. It is not specific on exactly how this should be done, leaving it up to individual organizations to classify their data assets, identify vulnerabilities, monitor threats and apply controls. For example, GDPR outlines the concept of joint liability, which means that both the data controllers (those who acquire the data) and the data processors (those who manage and store the data) can be held responsible in the event of a data loss from a SaaS or cloud service provider breach. Federated identify and access management across private and public cloud environments is an effective way to do this, but it´s up to the organization to decide how to implement this option.

In the case of both of these regulations, the ultimate goal is to protect the data and identity of the individual, but the difference in their approach makes it difficult to have a standard compliance methodology even within one company. This in turn means that a single cloud environment – be it private or public – is unlikely to work in every case.

By adopting a hybrid cloud approach, you can select which data to keep in a private or public cloud environment, for example by choosing to keep personally identifiable information in a private cloud in order to maintain more control over how it is used, stored, accessed and destroyed. Meanwhile, you can also use pre-developed models and frameworks through the public cloud when possible, leaving headspace for in-house IT and security teams to focus on the most sensitive or important data that must be kept on-premises.

To learn more about hybrid cloud and how it can help your business succeed in an increasingly regulated world, watch this video. Or, read the Optimal Cloud Workload Placement Strategies to find out how you can evaluate and plan the best workload placement for your hybrid cloud environment.