Six Tips for Compliant Cloud Computing
It's complicated, but these tips will help you get your arms around the issues.
As cloud computing has gained acceptance in different markets and in so many parts of the enterprise, experts have raised several different questions that those contemplating making use of the cloud need to address. They run the gamut, from "how do you prove compliance when you don't have access to the logs maintained by a service provider?" to "how do you deal with e-discovery" or "is anything stored in the cloud still considered private?"
The questions don't mean that cloud computing is too big a risk to take. After all, it's often a more cost-effective and more efficient solution than the on-premise systems. The questions must simply be addressed as the plan for cloud computing is crafted and then implemented.
Culling from the dozens of blog posts and interviews we've done on the subject in the past couple of years, I've come up with six different pointers that various experts have given us for cloud compliance. Though there are certainly more specific requirements for employing the cloud in certain industries that are more regulated, such as health care or financial services, these six considerations are a good place to start.
- Involve IT early in the process. Transworld Data CEO Mary Shacklett points out that getting IT involved in the beginning - before service contracts with the provider are signed - allows the IT team to help ensure all the technical bases are covered from the onset rather than having to backtrack later.
- Address security concerns. For instance, assets outside the firewall traditionally have not been as protected as those inside the firewall, according to TriCipher VP John Brody. One way to approach this issue is to try to force users who want to avail themselves of apps in the cloud to come back through the enterprise network to pick up controls and policies and go out again. But at the same time, it's hard to prevent users from going directly to the apps.
- Address privacy concerns. Just one of those concerns, RocketLawyer.com CEO Charles Moore suggests, may be maintaining confidential or other sensitive information "in the cloud." As long as your practices are clearly outlined both in your agreements with customers and in your agreements with your service providers and everyone is on the same page regarding how that information is handled, there should not be a problem. It's when one party to those agreements changes the terms unilaterally that problems crop up.
- Address e-discovery requirements. The three parts of e-discovery that cloud computing makes interesting, according to Proskauer Rose IP and technology counsel Nolan Goldberg, are preservation of relevant documents, collection of relevant documents and maintaining the integrity of the documents, as well as any level of confidentiality that may be required.
- Know your service provider. Vet potential providers early and often. Make sure the obligations of each party to the contract regarding security, privacy, e-discovery and other regulatory audits are clearly defined and in writing.
- Above all, remember: You can't outsource liability. Just because you decide to put a particular business process or a particular information set in the cloud doesn't mean the service provider takes the fall if regulatory standards or legal requirements are not met. Auditors and courts are still going to hold you responsible for ensuring that your service provider's controls and practices are sufficient.