Cloud Compliance: Part 1- The Basics

Cloud Compliance: Part 1- The Basics

This post marks the start of my new series on Cloud Compliance here on KnowYourCloud learning center. When finished in late
summer, my goal is that cloud users, particularly in Europe, will feel a bit more confident about cloud compliance; dare and know what questions to ask cloud providers; and be familiar with the basic regulations in Europe, and the cloud-specific concerns CIOs have when it comes to putting their data in public and private clouds. So first let’s start with …

What is compliance

Compliance in itself is about how you comply with rules and recommendations that you or your organization are obliged to follow. These rules and recommendations are normally regulated in country or community (e.g., European Union) laws, directives and regulations or certifications (such as ISO).

For example, if Company A is certified to ISO14001 (Environment), this means that Company A has to follow the rules and recommendations in ISO140001. Company A will also be audited by an auditor on a regular basis to determine how well Company A complies with ISO14001. This is Environmental Compliance with ISO14001.

IT compliance

Same goes for IT. The systems and information organization’s use or produce also have to follow rules and recommendations. Historically, this has been linked with how information about persons is stored. In Sweden, there is a law called PUL (which would be translated to something like Personal Information Law or Privacy Law), which prescribes how it is permissible to store and use information about persons. Its goal is to protect the individual privacy of Sweden’s citizens . All information about you as a person is not public, or must not be made public without your permission, for a special reason, or even at all.

As you can imagine these types of laws are often connected to businesses that address healthcare and legal matters. Historically, these compliance issues have typically been connected to behavior, such as routines and processes, and to technical issues such as secure systems, communications and datacenters, how backups are stored, and so on. These factors will continue to be a part of an organization’s compliance concerns with regards to the cloud.

Cloud compliance

The entrance of domestic IT outsourcing, international offshoring and, in recent years, the cloud, has introduced new factors and compliance concerns, making the organization’s IT solutions more complicated and more important. The complexity of maintaining compliance increases the further you travel from the on-premise solution over borders, regions and continents. And mainly it’s pointed at where your information, the data, is stored, independently of whether it’s “live” data or backup data.

Check out Newvem’s Security Best Practice insights

Things to consider – an example

Let’s assume Company B’s data has to be stored within the EU and the service you use is provided from a US Company X, which has a datacenter in the EU where Company B’s service is delivered and the data is stored. What rules and laws is US Company X obliged to follow and how does it comply with Company B’s? What happens in cases of high availability of if the backup solution include  replicating the data from EU datacenter to a datacenter located in the US or in India? Does the service then comply with Company B’s rules and laws?

What’s it all about

This is what cloud compliance is about and why it’s important to know what laws, rules and
recommendations your organization is obliged to follow. It is also important that you know how and where the services you plan to adopt or have adopted are produced – and that they comply with your organization’s requirements. As an IT Manager, CIO, CSO or CTO, it is your responsibility to know this.

Aware is not enough. The GM/CEO who is responsible for the organization needs to be
able to trust that you are following the law. Therefore it’s very important the cloud service provider (CSP) tells you the things you need to know. For example, if data location is important for you, your choice of CSP should be based on the facts (agreement, terms and conditions, service description) about where the CSP stores your organization’s data. Another factor would be which laws and rules the CSP is obliged to follow. All this is important to ensure that your organization is cloud compliant.

To wrap things up

I know some people will say “hey, what are you talking about” but in my opinion security, continuity and availability should not be your primary worry when it comes to cloud computing. These things are most probably far better than if you did it yourself. Compliance is one of the things to focus on instead – It’s your data; you have to make sure everything’s ok with it, especially when it’s in the cloud.

In the next part of this series, I will dig deeper into common scenarios and some EU regulations, such as the Data Protection Directive and how it might affect your organization.

Just for fun; a tricky question: What happens if an SaaS provider from Country A put its service on a PaaS provided from Country B? And, scary, the PaaS from Country B resides on an IaaS from Country C in Continent D? Is your organization cloud compliant in this scenario? Will any of the XaaS providers guarantee you’re cloud compliant? Let’s hope these scenarios won’t be frequent in the market in the future. ;)

As always – be aware.  And sometimes – know!

About the Author

Max Büchler – Blogger on InMaxMind
Cloud and ITaaS evangelist. “Agent provocateur”, criticizer and advisor. Hopefully with a special touch and different view, sometimes philosophic but always with a smile. Love to see fact and make cloud logic, don’t make it difficult. Focused on talking to, with and for the customer with the goal to ease and help adoption of cloud services. Profession as Manager of Product Management on a Swedish Managed Service Provider.

Keywords: cloud computing, vision, cloud broker, cloud services, cloud adoption, enablement, strategy, SaaS, Public cloud, private cloud, compliance, regulations, ISO, privacy law

Compliance and Regulations Resources