As cloud computing has gained acceptance in different markets and in so many parts of the enterprise, experts have raised several different questions that those contemplating making use of the cloud need to address. They run the gamut, from "how do you prove compliance when you don’t have access to the logs maintained by a service provider?" to "how do you deal with e-discovery" or "is anything stored in the cloud still considered private?
Culling from the dozens of blog posts and interviews IT Business Edge contributors have done on the subject, our Lora Bentley shares six different pointers that experts such as Proskauer Rose’s Nolan Goldberg and Transworld Data CEO Mary Shacklett have given for cloud compliance. Though there are certainly more specific requirements for employing the cloud in certain industries that are highly regulated, these six tips are a good place to start.
Click through for six compliance issues that any company considering cloud computing must address.
Transworld Data CEO Mary Shacklett points out that getting IT involved in the beginning – before service contracts with the provider are signed – allows the IT team to help ensure all the technical bases are covered from the onset.
For example, assets outside the firewall traditionally have not been as protected as those inside the firewall, according to TriCipher VP John Brody. One way to approach this issue is to force users who want to avail themselves of apps in the cloud to come back through the enterprise network to pick up controls and policies and go out again.
Just one of those, RocketLawyer.com CEO Charles Moore suggests, may be maintaining confidential or other sensitive information “in the cloud.” As long as your practices are clearly outlined both in your agreements with customers and in your agreements with your service providers, and everyone is on the same page regarding how that information is handled, there should not be a problem.
The three parts of e-discovery that cloud computing makes interesting, according to Proskauer Rose associate attorney Nolan Goldberg, are preserving relevant documents, collecting relevant documents, and maintainingboth the integrity of the documents and any level of confidentiality that may be required.
Vet potential providers early and often. Make sure the obligations of each party to the contract regarding security, privacy, e-discovery, and other regulatory audits are clearly defined and in writing.
Just because you decide to put a particular business process or information set in the cloud doesn’t mean the service provider takes the fall if regulatory standards or legal requirements are not met.