Whether it’s Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), cloud services have become more viable options for the enterprise in recent years. Even when outsourcing management of your infrastructure or software to a cloud services provider, organisations still retain the responsibility of ensuring these services remain compliant. If a cloud services provider stuffs up, it’s most often the responsibility of the organisation if customer data is compromised or the provider breaches Australian data sovereignty laws. Following these points can safeguard your organisation as a whole from cloud services compliance violations.
1. Demand full disclosure of all data centre locations and how data is stored. To remain compliant to your local and industry data regulations, you need to know what type of data is going into the cloud and where exactly it’s being stored. The onus falls on your organisation, not the cloud services provider, to know what data and server restrictions apply. Is your data being kept down the road, across the country or on another continent? Even if your cloud services provider offers local data centres, you might decide certain confidential data remains on your internal network. In addition to checking data centre locations, review whether your cloud services provider can host your environment across multiple, geographically disparate locations to boost availability of data, provide failover capabilities and transfer workloads cross-country. If your industry is highly regulated and you need strict data privacy and sovereignly requirements, seek applicable industry associations and consultants to guide IT through the cloud services adoption process.
2. Ensure you can get your data back if you need to. There might come a time when you are legally required to obtain access to data stored in the cloud — for instance, in a court case. To ensure you can produce this data, you should build an incident response plan into your contract with your cloud services provider. This should include a clause indicating how quickly you can retrieve the data and exactly what data you can retrieve.
3. Validate a cloud service provider’s security monitoring claims. Are the same people who are managing your cloud infrastructure, if in an IaaS setup, also monitoring for security? Or is there a third-party security team for which the cloud services provider contracts out? Request and review security certifications in detail and contact the certification company to verify certificates are current. If the data is particularly sensitive, negotiate for audits conducted by your IT team and independently-chosen third parties. Red line the SLA to include an opt-out in the event the cloud services provider’s security certifications lapse or are proven false.
4. Check their network security standards: The human element of securing the cloud is just one piece of the overall approach to protecting your data. Make sure the technical security aspects are up to snuff as well. Ask your cloud services provider if your data will be kept separate from other organisations’ data. Also ask if your network connection for your cloud services will be configured via secure VPN or private WAN connections to prevent external parties from accessing your data. Will your provider configure your firewall or will you? What type of anti-virus and virtual machine protection is there?
As cloud services become dominant and the industry matures, these compliance considerations will be concerns of the past. Until then, make these concerns top priorities when you speak to prospective cloud services providers to stay compliant with laws and industry expectations.