Compliance is becoming an ever more complex issue for organisations. Businesses are engaging in more remote and digital work practices due to COVID-19. Meanwhile, governments globally are implementing a growing number of data privacy regulations for organisations to abide by.
The reason for this is valid: with the industrialisation of hacking and the enormous impact of security breaches, governments had little choice but to add to the number of regulations, standards, and legislation they currently enforce in a bid to not only curtail the adversaries attempting to hijack sensitive information but also to prevent data leakage via other, less malicious avenues.
Legislators in over 29 states in the US put data privacy on the agenda in legislative sessions in 2021. Europe’s GDPR and now China’s new privacy law mean it has never been more challenging for organisations to stay compliant. However, the question is, where is all of the information security regulation?
We need to focus on information security
Data privacy concerns are taking the forefront in legislation. Yet, there is very little movement on regulation regarding how companies protect customer data. Regulators are penalising companies for large data breaches and imposing mind-numbing fines of up to €20 million or 4% of total global turnover for non-compliance with the GDPR. However, these regulations only require companies to implement “appropriate technical and organisational measures” to protect customer data. They do not instruct companies how to protect that data.
There are very few information security-specific regulations and little guidance from government regulators on security measures to put in place. It has allowed independent certification bodies to step up to help organisations prove that they are compliant. Cloud providers often rely on external third-party auditors. They conduct service level audits on information security and data privacy-specific controls. It ensures that the company has enough measures to protect customer data stored in their cloud.
Whether a business is just starting out with cloud technologies or is already heavily invested in the cloud, these audits and certifications help customers have the assurance that their data is protected in a compliance-certified environment.
Security Documentation to Ask For
There has been a large increase in the volume of information security audits and certifications globally. Individual industries have developed unique, comprehensive standards alongside government regulators in industries such as banking, healthcare, and manufacturing. Other global certification bodies, such as the International Organization for Standardization (ISO), have combined laws and standards from multiple countries into one best-practice certification.
For example, the ISO/IEC 27701:2019 Security Techniques (ISO 27701) certification combines some of the strictest data privacy standards in the world, like the GDPR, CCPA, and Australian data privacy laws, into one standard that companies can be audited against collectively to evidence compliance with these standards. Some of the most common security standards and audit certifications to ask CSPs for today include an ISO 27001 certification and a SOC 2 report for US cloud providers.
ISO 27001 Report
The ISO/IEC 27001: Information Security Management (ISO 27001) standard is an audit framework. It provides a roadmap to organisations on how to manage information security. It can be viewed as one of the tools that CSPs rely on to evidence that they have implemented “appropriate technical and organisational measures” to protect customer data in the cloud.
SOC 2 Report
Additionally, US providers rely upon the AICPA’s SOC 2 Trust Services Criteria. It allows them to evidence the security, availability, and processing integrity controls they have put in place to protect customer data in their systems and the confidentiality and privacy of the information processed by those systems. A SOC 2 Report also includes a detailed summary of the evidence reviewed and the security controls such as access control and physical security the organisation has put in place to better secure customer data.
The range, variety, and changing nature of compliance rules may be difficult to understand and interpret for an organisation. As a result, many will lean on the experience and expertise of a cloud services provider. So, how should business leaders ensure they are compliant when not all resources are on their premises and within their physical control?
Top Tips to Ensure Compliance in the Cloud
1. Review your CSPs Compliance Documentation
Review the compliance documentation your CSP makes available to customers. Ensure that it applies to your industry and the security concerns your organisation faces. Depending on your industry, you may want your CSP to have other more relevant audit certifications. This includes HITRUST or HIPAA audit certifications for US healthcare companies and Cyber Essentials for UK businesses. There are government-specific regulations such as CMMC in the US or IRAP in Australia for defence contractors.
2. Understand Access Control
A large portion of regulatory IT compliance stems from ensuring proper controls are in place over who has access to what data in the system. During a compliance audit, you must prove the access level for each user has and how those levels are maintained.
Your CSP must be able to provide you with documentation outlining how they implement separation of duties for administrative functions. They must also be able to provide clear documentation showing which users had access to which systems when and what data and systems each user could access.
3. Regularly Assess Your CSP Supplier
Without the threat of government regulation regarding information security measures, compliance in the cloud is driven by best-practice standards and customer demand. If customers regularly request a particular audit certification an organisation does not yet have, they may consider expanding their compliance program to fit the market need.
Continue to regularly assess your CSP to make sure that they regularly renew their compliance certifications. It is important to ensure they have not abandoned a compliance program essential to your business.
Getting the flexibility and benefits of the cloud and the compliance you need takes consideration and planning. Don’t settle. From the beginning, ensure you work with a cloud service provider which has your compliance and audit needs in mind.
You want a provider who puts you first and wants you to benefit from the cloud. Find a provider that will keep your organisation compliant and protect you and your customers’ sensitive data. Ensure they have the experience, skills, staff, and processes to deliver on your specific compliance needs.
iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS). It is recognised by industry analysts as a leader in disaster recovery. The award-winning iland Secure Cloud Console natively combines deep layered security, predictive analytics and compliance to deliver unmatched visibility and ease of management for all of iland’s cloud services. Headquartered in Houston, Texas and London, UK, iland delivers cloud services from its data centres throughout the Americas, Europe, Australia and Asia.