3 Reasons Why You Need a Cloud Compliance Policy Now

cloud compliance policy blog - header image - smallerWhile the debate is still continuing for most as to what the “Cloud” means, the point that can’t be argued is that cloud models are already here and growing.

Whether one is talking about a fully hosted cloud model for hosting systems, networks and applications at a 3rd party provider, or looking at a hybrid model to address resource overflow or expansion, there are numerous cloud providers offering a myriad of options for one to choose from. The questions posed with these solutions follow the path from security, access, monitoring, compliance and SLAs.

As more departments within organizations look at the potential of cloud offerings, the time is here for organizations to address how to control these new resources—the reasons are no small matter.

Reason 1: Office Automation

Organizations have longed searched for ways to place standard business applications outside the organization. Document collaboration and email seemed to be a perfect fit. However, for multi-national organizations, there’s a hidden dark side.

Some countries do not allow specific types of data to leave the bounds of the country. For example, if you are a UK-based company, or an organization in the US with a UK presence, that means emails and documents containing personal client and employee information may not be replicated outside to the US. I would argue understanding the cloud provider’s model and how they move data is just as important as how they safeguard and offer redundancy within their own infrastructure. If your data is not managed and not secured as specified by the law, you could have more to answer than just the availability of your data.

“Part of our job as a cloud provider is not only to understand our customers’ data needs, but how our model impacts their business and what we can do to align the two,” states Justin Mescher, CTO of IDS.

There is not a set boilerplate of questions to ask for every given scenario. The main driver of the questions should be around the business model of the organization and how the specific needs to protect its’ data compares to what the cloud provider does with the data. If data is replicated, where is it replicated and how is it restored?

Reason 2: Test Development

One of the biggest drivers for cloud initiatives is development and testing of applications. Some developers have found it easier to develop applications in a hosted environment, rather than proceed through change control or specific documentation requesting testing resources and validation planning of applications on the corporate infrastructure.

Companies I have spoken to cite a lack of resources for their test/dev environments as being the main motivation for moving to the cloud. While this sounds like a reasonable solution to push development off to the cloud, what potentially is lacking is a sound test and validation plan to move an application from design to development to test to production.

John Squeo, Director of Strategic IT Innovation & Solutions Development at Vanguard Health Systems states, “If done properly, with the correct controls, the cloud offers us a real opportunity to quickly develop and test applications. Instead of weeks configuring infrastructure, we have cut that down to days.”

John further commented that, “While legacy Healthcare applications don’t port well to the cloud due to work flow and older hardware and OS requirements, most everything else migrates well.”

If the development group is the only group with access to the development data, the organization potentially loses its’ biggest asset … the intellectual property which put it in business in the first place. As stated above, “if done properly”, this includes a detailed life cycle testing plan, defining what the test criteria are, as well as those that have access to test applications and data.

Reason 3: Data Security

Most organizations have spent much time developing policies and procedures around information security. When data is moved off site, the controls around data security, confidentiality and integrity become even more critical.

Justin Mescher, CTO of IDS adds, “While we have our own security measures to protect both our assets, as well as our customers, we work hand in hand with our customers to ensure we have the best security footprint for their needs.”

Financial institutions have followed the “Know your customer, know your vendor” mentality for some time. Understanding the cloud providers’ security model is key to developing a long lasting relationship. This includes understanding and validating the controls they have in place for hiring support staff, how they manage the infrastructure containing your key systems and data, as well as whether or not they can deliver your required reporting. The consequences of not performing appropriate vendor oversight can lead to additional exposure and risk.

Whether your senior management is or is not planning on using the cloud, I guarantee you this: there are departments in your organization that are. The challenge is now in defining an acceptable usage and governance policy. Don’t be left on the outside and surprised one day when someone walks away with your data when you didn’t know it left in the first place.

Photo credit: erdanziehungskraft via Flickr