In the early days of cloud implementations, it was up to customers to ensure their clouds were compliant with industry regulations. MSPs, prior to specializing in cloud services, could help their customers with compliance issues, but it wasn’t the service provider’s responsibility.
That state of affairs, as we all know, is relatively ancient history. A Forrester study from 2015 indicated that up to 60 percent of companies said “challenges with cloud compliance, transparency and support” were preventing them from expanding their cloud use, which is another way of saying that a lot of business was being left on the table.
While customers were realizing they could save time, money and numerous headaches by engaging with CSPs that would manage compliance, regulations such as HIPAA mandated that CSPs, as “business associates,” had to comply as well.
Today, CSPs have discovered that the ability to offer and manage cloud solutions that are compliance certified across multiple verticals can be a significant contributor to business growth. In fact, many vendors (like VMware) promote their ecosystem of CSPs by allowing customers to search for business partners based on certification criteria. As such, it behooves vendor partners to get and maintain as many relevant compliance certs as possible.
Some compliance certs have been around longer than others, and new ones are always being introduced.
To stay on top of the compliance game, start by getting familiar with various industry regulations and related certifications:
- Education: If you hope to provide cloud solutions to schools, colleges, universities or any institution that keeps student records, you’ll want a FERPA certification. The Family Education Rights and Privacy Act is intended to protect the privacy of student education records, and is applicable to all schools that receive funds from the U.S. Department of Education.
- Healthcare: The Health Insurance and Portability Act (HIPAA) has had a far-reaching impact on the technology industry. Any institution or doctor that keeps patient records, from chiropractors to brain surgeons, requires a cloud that is compliant with the standards that define how patient health information can be handled or transferred in electronic form.
- Health IT: HITECH (The Health Information Technology for Economic and Clinical Health) is the name of the compliance certification required for clouds that enable the transmission of health information. The HITECH organization also promotes the proper use and adoption of IT-related products in the healthcare industry.
- Federal Government: For CSPs that want to provide cloud services to the federal government, FedRAMP (Federal Risk and Authorization Management Program) compliance is required. This standardized approach provides security assessments, authorizations and continuous monitoring, while cutting government spending by as much as 40 percent.
- Payment Card Industry: We might expect any cloud that involves money management to be strictly regulated and secured. Clouds that support the burgeoning payment “card” industry (which increasingly doesn’t require physical mag stripe “cards”) require PCI-DSS, or Payment Card Industry–Data Security Standards, compliance. PCI-DSS requires CSPs to secure the network, protect cardholder data, and implement vulnerability management and access control programs in the context of an overall information security policy.
In addition to the vertical industry compliance certifications above, there are also cross-industry certifications that attest to compliance with certain standards. SSAE 16, for example, attests that a CSP has sufficient process controls in place. Standards like ISO-27701 provide requirements for establishing, implementing, maintaining and continuously improving an information security management system.
The “Sharing” Issue
Despite the adoption of compliance certification responsibility by the service provider community, many customers believe that certifications--vertical and otherwise--are not enough. In a Forrester study sponsored by iland, an enterprise cloud service provider and VMware vCloud Air Network partner, 62% of customer survey respondents said on-demand access to necessary reports would ease the pressure, along with complete reporting of the compliance status of the cloud provider (54%) and suggestions for achieving compliance (43%).
Clearly, there is more work to be done. If CSPs adopt a vertical compliance growth strategy, they should put mechanisms in place to share the metadata gathered in the process with customers. According to an article from Cloud Computing News, “the nub of the issue is the release--or not--of metadata, information about the performance, configuration and operations of each cloud workload. While typically most cloud providers have access to it, it’s a different story for the customers.”
The article goes on to suggest that, while the investment required to share metadata in real time can be significant, a CSP growth strategy that includes vertical compliance certifications won’t get far if the customer relationship is strained over data sharing issues.
VMware understands how important vertical compliance certifications can be for the growing CSP. That’s why we encourage readers to learn more about the VMware vCloud Air Network Program and the vCloud Air Network to see how we’re promoting our ecosystem of cloud providers. And be sure to follow @VMwareSP on Twitter or “Like” us on Facebook for future updates.
Erin Markov is vCloud Air Network Marketing Co-op, VMware. Guest blogs such as this one are published monthly and are part of Talkin' Cloud's annual platinum sponsorship.