What You Need to Know About Cloud Compliance
You want to provide cloud-connected services to your customers. That’s a given. But when and how? There’s a lot to consider, including cloud adoption, regulations and compliance, and a slew of other topics aimed at helping organizations understand what is involved when moving to the cloud.
Based on our experience at EVault, we’ve boiled down the information we’ve gathered to bring you the nuts and bolts of what to consider & the most important takeaways you should keep in mind to safely move your business and your customers’ businesses to the cloud.
To Cloud or Not to Cloud?
Half of midsized companies are either pursuing cloud-based services as part of their business practices, or are in their near-term implementation. The biggest issue when determining whether to move to the cloud is data security.
Customer Trust
Cloud consumers and cloud providers have an intimate relationship in which cloud consumers are entrusting their data to the cloud provider. Customers expect their cloud provider to give them some assurance from a third party that they are actually doing the right things.
Mounting a Strong Defense with Information Security and Compliance
Cloud computing is very complex and companies must look at all areas of secure environments. Companies with a cloud infrastructure must protect and secure information using technology, firewalls and access controls for incident response, disaster recovery and business continuity.
Define an Information Security Policy
Many organizations don’t have a written formal security policy, which jeopardizes communication and planning with service providers. The Internet is full of standards and policy templates, including the ISO 27001 and a template from SANS.
Classify All Information Assets
After defining what information is being protected, you must define your assets, which outlines where your customer’s sensitive and critical information is and who (including their cloud service provider) needs have to have access to it.
Data Location and Regulations
Cloud consumers want to know exactly where their data is and don’t want it to cross borders without their being notified. Customers depend on the cloud provider to understand their needs for data location and notification. You can help them put the policies in place for these controls, so that you as their provider can be accountable.
Perform a Risk Assessment
For the last step involved when sending your customer’s data to the cloud, find out what are the business practices they need to continue to operate and look for threats. This should be done on a recurring basis and your consulting services can help.
Trust and Verify
Customers must be able to trust and verify their service provider. In the late 90s , the financial community had an open organization called BITS. The organization looked to ensure that a service provider’s offerings were analyzed for their security controls and to make sure that there was a standard audit process. “Good” companies are doing SAS 70 or their SSAE 16 at a SOC level 2 that encompasses all security features. “Excellent” ones have gone through an ISO 27001 certification by the international community, though they are very rare.
Summary
These are some of things your customer will want to know you can offer when moving their organization to the cloud. Make sure you can help them understand the importance of compliance and security within the cloud, defining an information security policy, defining their assets and how to verify and choose a cloud service provider who can deliver these important things. Namely, you.
Felix Santos, CISA, CISM, ISSM, is responsible for Compliance and Information Security for EVault, the online backup company. Monthly guest blogs such as this one are part of Talkin’ Clouds annual platinum sponsorship. Read all EVault guest blogs here.
