3 top tips to ensure compliance in the cloud

Milou Lammers, Director of Compliance at iland, examines the current cloud regulation landscape and lays out her advice for cloud customers looking to maintain compliance.
Milou Lammers, Director of Compliance at iland, examines the current cloud regulation landscape and lays out her advice for cloud customers looking to maintain compliance.

Compliance is becoming an ever more complex issue for organizations. As businesses engage in more remote and digital work practices due to COVID-19, governments globally are implementing a growing number of data privacy regulations for organizations to abide by. The reason for this is valid: with the industrialization of hacking and the enormous impact of security breaches, governments had little choice but to add to the number of regulations, standards, and legislation they currently enforce in a bid to not only curtail the adversaries attempting to hijack sensitive information, but also to prevent data leakage via other, less malicious avenues. With legislators in over 29 states in the US putting data privacy on the agenda in legislative sessions in 2021, the prevalence of the GDPR in Europe, and now a new data privacy law set to take effect in China from the 1st of November, it has never been more challenging for organizations to stay compliant. The question is however, where is all of the information security regulation?

We need to focus on information security

While data privacy concerns are taking the forefront in legislation, there is very little movement on regulation regarding how companies protect customer data. Regulators are penalizing companies for large data breaches and imposing mind-numbing fines, such as fines up to €20 million or 4% of total global turnover for non-compliance with the GDPR, however these regulations only require companies to implement “appropriate technical and organizational measures” to protect customer data, they do not instruct companies how to protect that data.

Since there are very few information security-specific regulations and little guidance from government regulators on security measures to put in place, independent certification bodies have stepped up to help organizations prove that they are compliant. Cloud providers often rely on external third-party auditors to conduct service level audits on information security and data privacy-specific controls to ensure that the company has enough measures to protect customer data stored in their cloud. 

Whether a business is just starting out with cloud technologies or is already heavily invested in the cloud, these audits and certifications help customers have the assurance that their data is protected in a compliance-certified environment. 

Security Documentation to Ask For

There has been a large increase in the volume of information security audits and certifications offered around the world. Individual industries have developed unique, comprehensive standards alongside government regulators in industries such as banking, healthcare, and manufacturing. Other global certification bodies, such as the International Organization for Standardization (ISO) have combined laws and standards from multiple countries into one best-practice certification. For example, the ISO/IEC 27701:2019 Security Techniques (ISO 27701) certification combines some of the strictest data privacy standards in the world, like the GDPR, CCPA, and Australian data privacy laws into one standard that companies can be audited against collectively to evidence compliance with these standards. Some of the most common security standards and audit certifications to ask CSPs for today include an ISO 27001 certification and a SOC 2 report for US cloud providers. 

ISO 27001 Report

The ISO/IEC 27001: Information Security Management (ISO 27001) standard is an audit framework that provides a roadmap to organizations on how to manage information security. It can be viewed as one of the tools that CSPs rely on to evidence that they have implemented “appropriate technical and organizational measures” to protect customer data in the cloud. 

SOC 2 Report

Additionally, US providers rely upon the AICPA’s SOC 2 Trust Services Criteria to evidence the security, availability, and processing integrity controls they have put in place to protect customer data in their systems and the confidentiality and privacy of the information processed by those systems. A SOC 2 Report also includes a detailed summary of the evidence reviewed and the security controls such as access control and physical security the organization has put in place to better secure customer data.

The range, variety, and changing nature of compliance rules may be difficult to understand and interpret for an organization, and as a result many will lean on the experience and expertise of a cloud services provider. So, how should business leaders ensure they are compliant when not all resources are on their premises and within their physical control?

Top Tips to Ensure Compliance in the Cloud

1. Review your CSPs Compliance Documentation

Review the compliance documentation your CSP makes available to customers and ensure that it applies to your industry and the security concerns your organization faces. Depending on your industry, there may be other more relevant audit certifications you may want your CSP to have. Such as HITRUST or HIPAA audit certifications for U.S. healthcare companies, Cyber Essentials for UK businesses, or government-specific regulations for defense contractors such as CMMC in the U.S. or IRAP in Australia. 

2. Understand Access Control

A large portion of regulatory IT compliance stems from ensuring proper controls are in place over who has access to what data in the system. During a compliance audit, you must be able to prove the level of access that each user has and how those various levels are maintained. Your CSP must be able to provide you with documentation outlining how they implement separation of duties for administrative functions. They must also be able to provide clear documentation showing which users had access to which systems when, and what data and systems were able to be accessed by each user.

3. Regularly Assess Your CSP Supplier

Without the threat of government regulation regarding information security measures, compliance in the cloud is driven by best-practice standards and customer demand. If customers regularly request a particular audit certification an organization does not yet have in place, they may consider expanding their compliance program to fit the market need. Continue to regularly assess your CSP to make sure that they are renewing their compliance certifications on a regular basis and have not abandoned a compliance program that was important to your business.

READ MORE:

Getting the flexibility and benefits of the cloud, as well as the compliance you need, takes consideration and planning. Don’t settle. From the beginning, ensure you work with a cloud service provider which has your compliance and audit needs in mind. You want a provider who puts you first and wants you to benefit from the cloud. Find a provider that will keep your organization in compliance and protect you and your customers’ sensitive data. Make sure they have the experience, skills, staff, and processes to deliver on your specific compliance needs.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...