You know the cloud’s flexibility enables efficient backup and disaster recovery (DR). You also know that the cloud offers many other benefits for backup and DR, including cost savings, time savings, scalability, maximum availability, and reliability.
If your company is subject to the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) or any of the numerous other industry regulations and standards, chances are the answer is “compliance.”
The Compliance Obstacle
When you move to the cloud, the operational security and compliance functions that existed on premise must be applied to the respective cloud services. That requires an understanding of how to map compliance requirements to cloud environments. For busy IT staffs, that can be a huge undertaking.
Many IT professionals also worry that security risks associated with cloud technologies may make it difficult to meet compliance obligations. The security risks are real, at least for some cloud services.
The underlying components that comprise the infrastructure supporting a cloud services may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications. This can lead to shared technology vulnerabilities that could be exploited.
Poorly secured cloud service deployments and free cloud service trials can expose cloud services to cyberattacks. Specific types of attacks can force targeted cloud services to consume excessive amounts of finite system resources, causing a system slowdown and leaving legitimate service users without access to services.
Then there’s the bring your own cloud (BYOC) movement. Employees use their own cloud-based apps at work, unaware of the risks that storing corporate data in unsecured apps can have.
DR and Backup Compliance Requirements
Moving to the cloud also presents challenges because of specific requirements many regulations and standards have for how data is stored, accessed, and backed up in the cloud. For example, under the HIPAA Security Rule, covered entities (defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards) must:
Develop and implement a data backup plan
Develop a disaster recovery plan
Develop and emergency mode operation plan
Develop and implement procedures for testing and revision of contingency plans
Perform an application and data criticality analysis
PCI DSS applies to any system or environment that stores, processes, or transmits cardholder data. That means the environments housing backups and DR are included within the scope of PCI DSS if they touch cardholder data.
In the financial services industry, the Financial Industry Regulatory Authority (FINRA) requires a written business continuity plan that includes backup and recovery, while the Gramm-Leach-Bliley Act (GLBA) requires financial firms to protect consumers’ stored personal financial information. The US Security Exchange Commission (SEC) requires full records of every transaction and those records must be easily accessible and non-erasable. Even the International Organization for Standardization, in the ISO 270001 information security standard, has a section on storage.
Compliant Cloud Services Providers
The good news is that compliance doesn’t have to be an obstacle for using cloud-based backup and DR. The key is to work with the right cloud services provider (CSP).
Start by looking for a CSP that maintains a well-governed, high-quality IT infrastructure that meets the demands of a wide range of governing agencies. CSPs that have the necessary security controls and documented processes in place can help their customers meet many of their own compliance requirements by leveraging their audited and compliant infrastructure.
CSPs that are PCI DSS certified or HIPAA compliant are likely to be good choices. PCI DSS and HIPAA both entail rigorous security requirements. A CSP that can meet them has strong security processes and mechanisms in place.
Compliance Due Diligence
Verify that the CSP has undergone the required independent audits for compliance with the standard, government mandate or regulation you’re concerned about. Ask to see the CSP’s report on compliance (ROC). The ROC attests that all processes and components under the CSP’s control are compliant.
In the case of HIPAA compliance, you’ll also want to make sure a prospective CSP will sign a business associate agreement (BAA). The BAA outlines the CSP’s responsibilities and those of your organization in protecting protected health information (PHI) from contract start to termination.
Other things a CSP should have: an on-staff compliance officer, an executive security team, a full governance, risk and compliance (GRC) program, a risk-based BC/DR plan, an employee IT security training program, and a vendor due diligence program.
It’s also crucial to understand the division of responsibilities between your company and the CSP for specific compliance requirements and who will oversee making sure the responsibilities are met. The terms and conditions outlined in the CSP’s service level agreement (SLA) should align with your expectations.
Many regulations and standards require that your CSP’s servers to be in the US. Even if they don’t, a server in a foreign country may be subject to the laws of that country’s government, which can present privacy issues. Know where your data resides and what controls the CSP has in place to protect it. Require documentation showing where the CSP’s servers are located.
There are also regulations and standards that require system and data access to be controlled and secure. A CSP should be able to provide documentation showing which users have access to a system and when, and what data each user can access.