7 Worst Cloud Compliance Nightmares
Compliance is difficult in any situation, and cloud computing makes it even more complicated. Check out these worst-case compliance scenarios and how to avoid them.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/bltc2a8a8522590f494/64cb4f9a2a060b78d347da59/1-intro.png?width=700&auto=webp&quality=80&disable=upscale)
Companies that do business on the Internet or in the cloud may fall under one or more compliance domains. In order to comply with regulations, companies must do everything in their power to adhere to data security guidelines within the various compliance standards.
There are dozens and dozens of data security compliance regulations around the world. Here are a few examples:
If you deal with credit card information, you must adhere to PCI DSS standards.
US healthcare must follow HIPAA regulations as they relate to the protection of patient information.
US power companies follow NERC CIP rules to help protect power grids.
The European Union has Directive 95/46/EC regulation to ensure protection of personal data.
While compliance is difficult in its own right, cloud computing complicates the picture even further. If your organization is processing and/or storing sensitive data that is protected by compliance regulations, maintaining a compliant organization becomes a shared partnership between the cloud service provider and the customer. And, if not handled properly, there are numerous ways that this partnership can turn into a nightmare.
Here, we present seven scenarios in which businesses and/or cloud service providers can run into major compliance problems. Some difficulties reside in poor understanding of regulations. Others crop up when communication failures occur between the cloud service provider and the customer. And still others happen when compliance isn't regularly maintained and cared for. It's incredibly easy to become non-compliant, yet quite difficult to regain compliance.
So why is compliance so important? There are several reasons. One is the various ways that companies can be fined and temporarily restricted from handling data, which ultimately results in a loss of business. And as bad as that may seem, those are generally temporary issues. More lasting damage can be found in the loss of trust between the business that fails to maintain compliance and its customers that rely on the business to protect sensitive data. Once this trust is broken, the damage can last far longer than any fine or temporary halt of business processes ever could.
Once you've reviewed our seven scenarios, we'd love to hear your opinion on the current state of cloud compliance and how it could be improved and simplified over time. Join us in the comments section below.
When you're starting to dip your toes into regulatory compliance, it's easy to assume that as long as your cloud provider is compliant, so are you. This is far from the truth and leads to a scenario that includes fines and a potential halt of business operations if compliance failures persist. A key point to note about data compliance: At the end of the day, the data owner is ultimately responsible for protecting it. This is not only true for the cloud in which you reside, but also the systems and applications you maintain within the cloud.
Without proper supervision by the cloud provider, tenants could unwittingly introduce non-compliant processes that may bleed over into other tenants' space. While you can't control and audit other tenants within a cloud, you must verify that the service provider has the proper security measures and processes in place so other tenants cannot impact your compliance duties.
Cloud visibility remains a top problem in ensuring compliance. When data is shifted between data centers and disaster recovery facilities, it becomes difficult to track exactly where the data lives and how many copies of that data are floating around at any given time. It's like trying to find the proverbial needle in a haystack. As service providers grow, merge and upgrade, data may end up in places that are not considered compliant for the types of regulations your data requires.
The PCI Security Standards Council warns service providers and clients alike about clear lines of communication and tangible reporting and monitoring systems.
"Without a clear governance strategy, the client may be unaware of issues arising from use of the cloud service, and the [cloud service provider] may be unaware of issues within the client environment that could impact their service provision."
If you're a global corporation, ensuring compliance is compounded due to the fact that countries -- and even states or provinces within a country -- can have widely differing compliance requirements. If you don't figure out what's needed in terms of cross-border compliance, you're asking for trouble. And while a cloud provider can offer assistance from the compliance knowledge it possesses, it's up to you to figure out what's needed, and whether your cloud provider is certified under those compliance rules.
Remember that being compliant for something is simply a snapshot in time. Cloud services are still relatively new and very fluid. Because of this, it's up to the customer to regularly audit its service provider to ensure they maintain the necessary certifications and meet the compliance standards that they originally met.
Compliance rules grow and change on a regular basis. Whether due to new technologies, different interpretations, or a tightening of current standards, new and modified compliance rules must be reviewed regularly in order to keep a company's head above water. For example, integrated EMV chips on credit cards is one such technology that is changing US PCI compliance rules regarding credit card data. Companies must stay on top of their service provider to make sure that new or changed compliance rules are handled in a timely manner.
Maintaining regulatory compliance is a difficult process. Keep in mind that cloud computing is still in its infancy, and we'll continue coming up with improved ways to track, monitor, and communicate compliance issues with a cloud provider. And one day, ensuring cloud compliance may become as easy as clicking a checkbox.
Maintaining regulatory compliance is a difficult process. Keep in mind that cloud computing is still in its infancy, and we'll continue coming up with improved ways to track, monitor, and communicate compliance issues with a cloud provider. And one day, ensuring cloud compliance may become as easy as clicking a checkbox.
-
About the Author(s)
You May Also Like