The cloud offers unprecedented scope to cut capital outlays and offload operating expenditure to a third-party cloud provider. And cloud storage offers the ability to scale your capacity requirements extremely flexibly, at predictable cost.
But you are still responsible for your organisation’s data. So, when you entrust it to a cloud storage provider, you need to observe due diligence to ensure legal and regulatory compliance. That means a compliance audit.
In this podcast, ComputerWeekly.com storage editor Antony Adshead talks to CEO of Vigitrust, Mathieu Gorge, about why organisations should carry out a cloud audit on cloud providers – and the key steps involved in such a compliance audit.
Antony Adshead: Why should organisations carry out a compliance audit on cloud/cloud storage providers?
Mathieu Gorge: The first thing to look at is our overarching reliance on cloud providers for storage functionality. As organisations are storing more and more information logically and physically on database media, they have started to rely increasingly on a process that amounts to business process outsourcing.
So, as an organisation you end up as data controller, entrusting the cloud provider with storing information that could be classified information and that is, in many cases, definitely personal data under the Data Protection Act.
One needs to remember that, although you can outsource the storage process to a cloud provider, the responsibility still belongs with your organisation because you are the data controller. You are trusting a third party to look after that data and make sure it is protected appropriately and the right security measures are in place to protect the data.
Adshead: What are key elements of such a compliance audit, including regulations that apply to cloud and cloud storage providers?
Gorge: From an auditing perspective it’s the usual suspects. You’re going to have to include in the audit a review of the policies and procedures that the cloud storage provider has implemented around your data. You’ll also need to look at the technical solutions they’ve put in place to protect your data, and I’ll look at that in a minute. You’ll also have to ascertain whether they’ve trained the staff that look after your data, whether technical or business staff.
So, from the technical perspective it is recommended that you build into your contract with the cloud provider an option for you to perform a penetration test on the systems that host your data. You may also want to put in a clause that allows you to physically audit the datacentre in which they store your data, whether in public cloud, private cloud or hybrid cloud.
Linking that to regulation, if you look at the UK Data Protection Act and industry regulations such as those from the FSA or PCI DSS, they all have a clause around managing third parties that become custodians of your data. So, in PCI DSS, for example, there is requirement 12.8. And in the upcoming EU data protection regulation that’s going to replace the current directive, there are provisions for data controllers to audit their data processors in a much more granular way than at the moment.
So, the legal requirement is there and industry best practice dictates you should audit your cloud storage providers to make sure that, from a policy, technical and usage perspective, they don’t become the weakest link in your security and compliance strategy to protect data.
Adshead: What implications do these have for an organisation's storage and backup infrastructure?
Gorge: Primarily, it means that as an organisation you need to have a process that allows you to monitor the security and compliance status of your storage infrastructure on an ongoing basis. So, this is not a point-in-time solution. It’s making sure you’ve got the right data classification, storage to store the right data and access it at the right time. And, as I said, make sure that this is an ongoing process, rather than just a single project.