momius -

Compliance in the cloud: Avoiding the cloud compliance trap

When you hand over data to a cloud provider, you don’t hand over responsibility for legal and regulatory compliance. Beware of falling into a cloud compliance trap

A recent survey found that more than one in four businesses intend to move all IT infrastructure and workloads to the cloud in the next 12 to 24 months.

Meanwhile, 83% of those questioned – in research by backup software maker Veritas – think cloud service providers will protect clients’ data.

That’s unrealistic at best, and, in the present regulatory environment, it is dangerous and a potential compliance trap.

Sure, organisations can benefit from cloud services through greater efficiency, flexibility, and a lower cost of doing business.

And hybrid and multi-cloud provision – where organisations combine their own and suppliers’ infrastructure – is increasingly popular due to its performance and cost benefits.

These trends, though, could catch organisations out when it comes to cloud compliance

The cloud compliance gap

The move towards greater use of the cloud comes at a time when data protection regulations are tightening significantly.

Not only has the European Union’s General Data Protection Regulation (GDPR) come into force, but other regulations, such as an update to the PCI-DSS standard for payment cards, have prompted organisations to review how they gather and process information.

Regulations such as the GDPR bring some additional rights and safeguards for individuals, such as the right to be forgotten and new obligations on organisations like the mandatory disclosure of any data breach.

Much in GDPR, however, is not new. Rather, it is a clarification and consolidation of existing data protection rules. So, organisations with solid data protection and privacy policies should be able to handle the transition to GDPR.

But the move towards cloud computing could expose a compliance gap – especially for organisations that handle personal data. The GDPR sets out a much clearer definition of “personal data”. The definition is set rather more broadly than it was under many national data protection laws.

Under GDPR, it will be hard for firms to argue they do not collect, process or store personal data. So, inevitably there are consequences for organisations that use the cloud.

“A move to the cloud doesn’t bring with it any exemption from the regulations,” says Dan Burge, a partner with the technology, media and telecoms team at law firm Dentons. But it can make it harder to comply with those rules. 

Multiple clouds, multiple challenges

Moving to the cloud can bring a range of practical, administrative and regulatory challenges.

But, for compliance the key issues facing chief information officers and security officers are what types of data the organisation stores, and where that data is.

Organisations that run their own in-house databases, archives and storage systems should be in a position to identify the location of most, hopefully all, of their data.

They can specify the location of systems and datacentres, and set up IT so that data restricted to a certain geography – say, the EU – is stored and processed within that geography. Breaking out personal data from other business information should, equally, be feasible with good IT controls.

Identifying data types – data classification – should also be achievable through in-house systems and compliance officers.

But the move to external locations for data storage and IT workloads creates a new challenge.

Cloud computing suppliers work by offering economies of scale. To do this, they need to aggregate data. Cloud providers also build in resilience, and to do so will host data in multiple locations.

Read more about storage and compliance

  • New European Union data protection regulations put tough requirements on organisations that store “personally identifiable data”. We look at what is needed to achieve compliance.
  • Vigitrust CEO Mathieu Gorge surveys the key challenges of data growth, regulation and mobile and legacy data that impact on legal and regulatory compliance.

Unless an organisation is large enough to pay for a private cloud system – or possibly several geographically-dispersed private clouds – they will be handing data over to their cloud service providers to store as they see fit.

This creates a challenge around “data sovereignty” and knowing where data is at any moment in time.

CIOs might not know which countries their cloud services store data in. The cloud provider might not even know if they use highly automated systems for load balancing and to ensure business continuity and disaster recovery.

The location of data

Organisations often overlook the exact location of data. The safest solution is to use a cloud service that locks data to one location or at least keeps it within one jurisdiction, such as the EU.

But first, organisations need to identify the information they collect and process. Any attempt to control or audit data location is bound to fail if CIOs lack a clear picture of the types of data that touches the cloud.

Some data types are clearly identifiable as sensitive. National insurance numbers, banking and health information, address and age details are all data types that customers will want businesses to protect.

But, the definition of personal data under GDPR is wider than the conventional US-centric definition of personally identifiable information (PII).

Then there is the chance that sensitive data is created in the cloud by SaaS applications, e-commerce or even social media. Anything that combines online interactions with an individual's profile quickly brings records into the realm of personal data, as recent media headlines show.

The risks are all the higher if – to take one theoretical example – an SaaS-based customer relationship application or insurance underwriting application draws on data logs from social media or other sources.

Even supposedly anonymised or cleaned records can revert to being personal data if there is some way to trace an individual by combining data fields. Law makers call this "mosaic identification", and with applications that run in the cloud it could happen without the CIO being aware of the risks. 

Lock up your data

Fortunately, there are steps organisations can take to address the pitfalls of cloud compliance.

The first and most drastic is to restrict use of the cloud or limit its use to specific providers with robust and transparent policies on data geolocation.

But, for organisations that do need to use the public cloud – ie, those with a multi-vendor strategy – the next step is to carry out a careful audit of all data to ensure personal data is identified, tracked, and data sovereignty policies enforced.

Once CIOs and data protection officers know the data they are dealing with they can take practical steps to secure it. Client-based encryption is recommended good practice, as it reduces the risk of data loss if a cloud service is hacked and cuts the risk of losing data in transit, even if it does not address data sovereignty.

Boards should also scrutinise their cloud service providers, including SaaS platforms, for adherence to their own data compliance policies and standards such as ISO27001.

This is harder, though still possible, for hybrid and multi-vendor clouds. Multi-cloud data management tools, whilst still relatively new to the market, offer IT and data protection teams the prospect of quicker and deeper oversight of the data they store.

But anyone dealing with the cloud needs to realise that in whatever way they organise their IT they cannot outsource responsibility for compliance. To ensure cloud providers meet current standards is part of the due diligence process. Complying with laws such as GDPR and penalties for breaches falls squarely on the business, not the cloud supplier.

Read more on Infrastructure-as-a-Service (IaaS)

Data Center
Data Management