Cloud compliance issues arise as soon as you make use of cloud storage or backup services. By moving data from your internal storage to someone else's you are forced to examine closely how that data will be kept so that you remain compliant with laws and industry regulations. So, when it comes to cloud compliance what data should you move to the cloud and what should be kept in-house, what questions do you need to ask your cloud provider and what terms should be written into SLAs to maintain compliance?
In this interview, SearchStorage.co.UK Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of VigiTrust, about the key questions raised by cloud compliance, how to draw up SLAs, where responsibility lies for cloud compliance and how to deal with issues such as e-discovery.
You can read the transcript below or download the podcast on cloud compliance
SearchStorage.co.UK: What cloud compliance issues arise for users of cloud storage and backup services?
Gorge: When you start looking at the services that are offered within cloud computing, you realise that the infrastructure and, therefore, the data that resides on that infrastructure is susceptible to being intercepted, to being modified and that obviously [presents] a major issue when it comes to cloud storage and compliance.
The main question that compliance and legal people would ask you is, Where is our data going to reside? Who is going to look after it? Who is going to be able to see it? Is it going to be the people that manage the infrastructure for us? Is it going to be internal and external people? And if we use a public cloud how secure is that cloud platform for us? Is the cloud going to be segregated from other organisations' data?
If you look at the reasons why people move to the cloud there is obviously a cost benefit to moving to the cloud because you move from capital expenditure to operational expenditure but ... you also move from internal security to external operational security. These security issues and compliance issues can be inhibitors to moving to the cloud, especially with regards to storage because of data retention regimes, data protection regimes in the UK and in the wider EU framework.
So, the key question from a legal point of view is, Where is my data located, how is it going to be sent to the cloud, and how is it going to be secured on that cloud?
SearchStorage.co.UK: What can organisations do to successfully negotiate the challenges of cloud compliance?
Gorge: The first thing that organisations need to do is to be fully aware of the type of cloud services that they use. Once they have done that, they can look at the data that they are going to move to the cloud. It's important to understand that for security and compliance reasons, organisations may decide that some highly confidential data will always remain on an internal network and will not move to the cloud. Or, if they move it to a cloud infrastructure it will be a private cloud that will be hosted on the premises, where they have access to both the physical and logical infrastructure even though it is still based on cloud computing, and will still bring them the benefits from an operational cost and management perspective.
The second thing to look at once you know which data you are going to put on the cloud is to look at the contracts with your cloud provider. So, if it is an internal cloud, are you going to have internal SLAs and internal compliance checklists? If it's external, you have to clearly identify with the provider what type of data should reside on their cloud services, how they're going to protect it, how they're going to back it up and how you may reserve the right to audit the security and compliance framework that they build around your data.
You have to remember that it's your data and ... you are responsible for it; you have to remain in control at any given stage. If you look at the Data Protection Act in the UK, [it] clearly states that you have data controllers [who should] be in control of data at any given stage even if the data is sent to an external party. [From this you get an idea] of the responsibility a cloud provider is taking on but it's up to you as the … owner of the data to make sure the cloud provider understands that and has it built within their SLAs.
The other thing I would recommend you check is whether they have an incident response plan for alerting you if something goes wrong with your data on the cloud.
From an operational perspective, an organisation would be well-advised to put in place safeguards and benchmarks in order to check the effectiveness of the security around their data on the cloud. For instance, does the provider use guidelines from the Cloud Security Alliance or ... the European Network and Information Security Agency, which are available to download free of charge? Do they use the federal government guidelines for cloud security if based in the US?
One other aspect to look at is the idea of e-discovery on the cloud. This is a very new area that will ... keep a lot of solicitors very busy over the next few years because one of the key issues with e-discovery is, How do I get data back if I need to produce data in a court of law? With regards to a cloud infrastructure, it becomes a bit more difficult to make sure that you can get access to data in a timely manner, so, again, that needs to be built in to the contract you have with the cloud provider.
In summary, [make] sure that you classify your data, make sure you understand that some of it is not suitable for the cloud and needs to be kept internally, have the right contracts with the cloud provider setting out what will be covered, how it will be protected [and] backed up. Finally, try to have an incident response plan which should cover any type of e-discovery and legal requests to get access to data stored on the cloud.