When it comes to public cloud compliance, different regulations exist for different industries.
To be sure, public cloud compliance is a thicket of complication, effected by myriad legislation. For example, the Health Insurance Portability and Accountability Act (HIPAA) is the granddaddy of healthcare-related legislation that relates to public cloud compliance. Payment Card Industry Data Security Standard (PCI DSS) oversees the credit card industry, while Sarbanes–Oxley (SOX) regulates the reliability of financial reporting by public companies and their accounting firms. The Gramm-Leach-Bliley Act (GLBA) administers a large set of compliance regulations for banks, investment institutions and insurance firms. And there are many more including US–EU Safe Harbor, ISO, FDA and a whole set of federal regulations around information processing, security management and risk management.
Even so, we can boil down public compliance standards to key similarities: Is the regulated data secure from digital and physical intrusion? Can you prove it with reports and audits? How can you verify environmental controls such as data location? How do you administer access control? When and where do you apply encryption? Can you verify data segmentation from non-regulated data or multiple tenants?
These questions and their answers are critical for on-site data storage, including on-premise private cloud infrastructure. But when you include public cloud compliance in the picture, you up the ante – and the complexity – on compliant data storage. And if a service provider restores compliant data for you on the public cloud, the complexity grows even larger.
However, going with a cloud provider may still be a good idea in terms of cloud scalability and efficient data storage, especially if you are not frequently restoring your data from the cloud.
Public Cloud Compliance: Where to Begin
HIPAA and Compliance
HIPAA regulatory requirements differ depending on the "covered entity." This refers to the originating health care company whether it is using cloud storage for electronic health record systems (EHR) governed by HITECH, or backup data governed by HIPAA’s Data Backup and Disaster Recovery Specifications. The “business associate” label covers your cloud provider, who must also be in HIPAA compliance with technology, physical security and secure administration.
It is your responsibility to make certain that your business associate, whether a managed service provider (MSP) and/or a public cloud provider, offers and obeys a business associate agreement (BAA). You will see a number of ads from cloud providers on how HIPAA-compliant they are. They might even be right, but you still cannot afford to leave HIPAA compliance up to your provider. Even if they sell an excellent service to their customers, you are ultimately responsible with the compliance of your data online and off. And if your provider makes a serious mistake, that mistake may cost them — but it may well cost you even more.
To begin with, even though your cloud provider may claim to be HIPAA-compliant, the U.S. Department of Health and Human Services recognizes no one as such. They have no such compliance list. One cannot blame them: it is each company’s responsibility to understand the compliance regulations and to stick to them, and to make sure that their provider does also.
Top Questions to Ask your Provider about Public Cloud Compliance
Here are the top compliance-related questions to ask your public cloud provider or MSP who offers public cloud services:
- How secure is my data in your data center? Most companies know to ask about digital security such as protection against hacking attacks or in-house mistakes (or worse). These are vital security measures, of course, but physical data center security is every bit as important. The cloud provider should welcome yearly independent audits of their data center and cloud storage practices. Look for SSAE-16 for standard compliance audits. Data location may also be an issue. If it is, be certain that your provider can prove where your data resides. Google Cloud, for instance, provides highly secure and certified data centers that fulfill PCI DSS standards.
- Does the cloud provider have dedicated and a specialized compliance staff? For example, healthcare covered entities need HIPAA experts. Credit card providers need expertise with PCI DSS. Public companies and accounting firms need consultants that are familiar with SOX, and banks need expertise with the security requirements of GLBA.