• No results found

Being compliant in the cloud.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Being compliant in the cloud."

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

bluesource

Being compliant in the cloud

Tim Walwyn

, Principal Technology Strategist at bluesource

Being compliant

in the cloud.

A framework to guide your thinking

and protect your business as you

consider a move to the cloud.

(2)

Overview

If you answered “yes” to any of these questions then this bluesource briefing is for you. In the next few pages we explore some of the most common questions and concerns IT teams have around compliance, when making the decision to move to the cloud.

You’ll find a practical guide that shows how the cloud stacks up against on-premises environments and a readiness assessment, for you to apply to your organisation, to help determine how best to make your move to the cloud. Crucially, you’ll learn that for most, if not all, organisations moving to the cloud is fully compatible with most compliance requirements, common in business today.

Are you considering moving some of your IT

services & systems to the cloud, but not made

that move yet?

Are you nervous about the data you have to move,

loss of control and the risk of non-compliance?

Are your business units already using cloud

services without central IT approval and you’re

concerned about security, management and

monitoring?

(3)

bluesource

Being compliant in the cloud

Simply, compliance is to data what health and

safety is to your people. When moving services

and the associated data to the cloud, businesses

need to consider how that data will be moved and

held in the cloud to be compliant with laws and

industry regulations.

Storing data on-premises may not be a perfect solution but it’s one we all know and trust. Cloud data services, by contrast, hold extraordinary promise but for many feel untested and risky when it comes to meeting your compliance requirements.

But while a fear of the unknown is only natural, the truth is that users of cloud services are usually not breaking compliance requirements. In fact, the opposite is often true, and more and more businesses are starting to realise it.

Old limitations concerning compliance process are now also mostly obsolete, with most cloud solutions able to work with your existing process. If the cloud is the way of the future, then business and IT success will depend on reinventing some of our longest held beliefs and behaviours. It will necessitate a shift from:

And, this means embracing the cloud.

Legacy first

Visible

Control

=

=

=

Digital First

(“why not cloud” step into all planning)

Valuable

Vision

Cloud

Compliance:

What Does It

Mean?

A New Frontier

(4)

Compliance Requirement

On Premises

Cloud Solution

You need to know

where all of your

information is

You have core services in place and identified, however legacy and/or rogue IT can be a negative influence.

You have well defined cloud services and/or providers each with a known subset of information.

You need to know

who has access to it

Many services provide access by default to all users who are part of your domain.

Cloud services typically subscribe individual users to gain access to specific information sets.

You need to easily

find information

An enterprise search solution such as SharePoint typically needs to be in place.

Exactly the same process as on-premises .

You need to revoke

access to information

as required

Simple, via Active Directory permissions for internal users – but what about external users or partners?

Assuming synchronised directories and/or single sign-on solutions, this is typically managed via your internal Active Directory permissions, with the added benefit that external user access can be managed in the same place.

Cloud V. On-Premises:

Weighing the Benefits

With the scrutiny that cloud service providers find themselves under, it shouldn’t come as a surprise that they are often more secure and closer aligned with many compliance considerations than your existing on-premises solution.

(5)

bluesource

Being compliant in the cloud

Compliance Requirement

On Premises

Cloud Solution

You require high levels of

backup/data retention

You will need to implement robust backup strategies for all on-site data.

It’s common for this to be included by default with many cloud services, though it’s important to ensure your cloud service has a built-in exit strategy or gives you the ability to granularly restore information.

You need to perform

eDiscovery searches

on your data

You’ll choose an eDiscovery tool that can access your on-premises data stores such as file servers, archives and email.

Different cloud solutions support different eDiscovery tools, making it important that you consider this functionality when choosing a solution if you have specific needs.

You need to add capacity

to your archive

With on-premises archiving, you’ll need to purchase additional infrastructure when additional archiving and storage is required.

Additional cloud storage capacity will come at an extra cost, but in most cases can be easily added to your account.

You need to migrate data

to a different location

Prior to migrating data, you need to define which data is to be moved, who has access to it, and where it will be moved to.

When migrating data to the cloud it’s important to consider the compliance and regulatory requirements related to that data and whether your cloud service is suitable. A hybrid approach can be used where only some data is in the cloud, depending on your specific compliance requirements.

As we can see, on a technical level both on-premises and cloud services generate similar concerns and offer very similar opportunities for meeting compliance requirements. In fact, when you consider the burden of trying to keep up with new requirements and challenges it’s arguable that in many cases the cloud can actually offer a superior service.

For example:

• Internal systems are trying to compete with dedicated specialist security teams provided by cloud service providers. Proactive cloud security teams can offer greater security in the cloud than on-site with your often over-stretched internal teams.

• Traditional on-premises support typically focuses on stopping unauthorised people from accessing your network. However, for many organisations the biggest risk today is well-meaning employees using technology incorrectly or falling victim to malware. Cloud services do not discriminate between internal and external employees, meaning staff cannot automatically skip past a number of security layers just because they’re internal.

Of course, the truth is that even if you’re seriously considering moving to the cloud, the reality for many organisations is to run a hybrid approach, using both on-premises and cloud services. Although at first glance this may feel complex, it really doesn’t need to be.

(6)

Cloud

Readiness

Assessment

Before choosing

the right approach,

whether on premises,

in the cloud or a hybrid

solution, a simple

cloud-readiness

assessment can help

you to consider how

sensitive your different

data sets maybe and

whether they are a

candidate for the cloud.

1) Where does my data need to reside?

Moving IT services to the cloud means that data

previously held by the business and controlled by internal

security is now subject to external security, so the obvious

questions of who is looking after our data, who can see it

and who can access it will naturally arise.

Although whistle blowing, government and other investigations have increased the awareness of these core questions, where your data resides is core. Ensure that you fully understand the data legislation requirements of all geographies you operate in and what rules exist for keeping certain information within a given geographical jurisdiction. This will be key in determining a) the suitability of a cloud provider given data hosting locations b) what data should be kept on-premises.

2) What specific regulations exist for my business?

The geography and industry you operate within will undoubtedly have their own legislation and regulations. For your on-premises environment these will have been covered as a matter of course, but making your move to the cloud enforces a discipline to review them and make an assessment of your how your cloud provider stacks up and if indeed they already have them covered. Bear in mind that many cloud solutions may already meet your requirements. For example, the regulations currently supported or certified against Microsoft Azure include:

• ISO 27001/27002 • United Kingdom G-Cloud

• SOC 1/SSAE 16/ISAE 3402 and SOC 2 • Australian Government IRAP

• Cloud Security/Alliance CCM • Singapore MTCS Standard • FedRAMP

• HIPAA • FISMA

• US-EU Safe Harbor Framework /

In addition to the above certifications, specific technologies such as ‘individual file encryption at rest’ are commonplace for cloud based services, particularly with Software as a Service (SaaS) implementations.

6 Questions to Help You Decide

• FBI CJIS (Azure Government) EU Data Protection Directive • PDCI DSS Level 1

• EU Model Clauses

• Food and Drug Administration • FERPA

• 21 CFR Part 11 • FIPS 140-2 • CCCPPF • MLPS

(7)

bluesource

Being compliant in the cloud

3) How much of a problem is Rogue IT

in your organisation?

With business units increasingly by-passing IT when

making IT spending decisions, this problem has reached

near epidemic proportions. The result is central IT

departments aren’t necessarily aware of what

on-premises vs cloud based activity is going on within their

organisations.

For example, an internal employee may buy a subscription on a popular cloud storage service using their company credit card. They do not read the numerous terms and conditions in detail (or at all) but sign up anyway. The organisation then discovers that through the use of this service the employee has unwittingly loaned all intellectual property rights for the content stored on the service to the service providers. And before you know it you have a BIG compliance concern. The first key step in combatting this problem is by doing a thorough audit of all rogue IT activity within your organisation so you can start to get back in control over what potential data leakage and compliance breaches your organisation may be facing.

The good news is that there are lots of tools and solutions to detect, audit and control rogue IT within an organisation. The challenge is what to do with the intelligence that is gathered, which typically requires replacing the rogue IT services with equivalent, approved services. Organisations can put technology in place to automatically detect and block access to new unapproved services or flag suspicious activity such as an employee uploading a large spike of information to an external data service.

Cloud

Readiness

Assessment

(8)

5) How do you migrate your data?

Ensuring cloud compliance requires your journey or migration of your data to the cloud to be equally compliant. This is a critical component of your cloud strategy and is often considered a simple delivery task that can be performed, using off the shelf software. But this is a task that should not be under-estimated. It can be highly challenging, time-consuming, complex, especially when migrating huge data volumes.. Doing this properly is essential to protect your data, ensure chain of custody and maintain compliance.

6) How much eDiscovery does your business require?

One other aspect to consider as our world becomes more litigious with legal cases and regulator demands is e-discovery in the cloud. The key consideration here is; How do I get data back if I need to produce data in a court of law? Can I access data in a timely manner and how sophisticated can searches be. These are important considerations from a broader compliance standpoint and should be considered in your cloud readiness assessment.

Cloud

Readiness

Assessment

6 Questions to Help You Decide

4) What does your data landscape look like?

Moving IT services to the cloud provides the catalyst for understanding what data you have across the organisation and identifying any compliance gaps in how your organisation currently manages information. With the right tools you can gain visibility of all your unstructured data, analyse it and put in place data use and access control policies which together will help improve compliance and reduce risk and only make your systems stronger. With this understanding you can determine how sensitive different information is and whether your organisation can move its data to the cloud in its entirety (and on which platform) or if a hybrid cloud/on-premises solution is more practical.

(9)

bluesource

Being compliant in the cloud

Moving

Forward:

Your Cloud

Compliance

Journey

Although meeting compliance obligations in a cloud-first

world can at first glance seem daunting, we hope we’ve

helped you consider that a move to the cloud is not the

compliance headache you may once have considered –

and might even alleviate a few.

The benefits of moving to the cloud are both direct to your employees (ease of access to information) as well as to your IT teams (ease of security, data retention and compliance).

And there are numerous approaches and options available to you, letting you control your information and empower your employees.

If you’re considering moving to cloud services, contact

bluesource to discuss your compliance considerations and

what approach will best enable your organisation to get the

most out of the cloud.

Get in touch to find out more:

Address: bluesource, 122 Tooley Street, London SE1 2TU

Tel: +44 (0) 845 319 2100

(10)

UK & EMEA (HQ)

122 Tooley Street, London SE1 2TU UK Call 0845 319 2100 Email sales@bluesource.co.uk www.bluesource.co.uk US

1900 Enchanted Way, Suite 225, Grapevine, TX 76051

Australia

Suite 7, Level 3 142 Clarence Street Sydney, NSW 2000

About The

Author

About

bluesource

Tim Walwyn is the Principal Technology Strategist at bluesource. Our leading expert on cloud computing, Tim advises clients on best practice and the most effective approach to cloud adoption and migration. Tim’s strengths include business process design, cloud decision frameworks, hybrid cloud implementations and automated workflows.

If you’re considering moving to the cloud, contact bluesource to discuss your compliance considerations and the most appropriate approach for your business

bluesource helps organisations to drive productivity improvements by making information more accessible, specialising in technologies across Information Management, Collaboration and Universal Communications. We help preserve and protect the information that needs to be kept and surface it quickly for compliance, eDiscovery or general business use. We also help business move information through their organisation, automating its flow and making it easy for people to collaborate and communicate, anywhere on any device.

With 15 years’ experience as custodians of enterprise data, working with FTSE 100 businesses and those that operate in highly regulated sectors, we have expert insight of how information management and productivity technologies can be optimised in the cloud, on-premises or in hybrid environments. Through experience gained in our own service management centre we guide clients on the right management choice for their business as demands for ROI and cost predictability increase.

bluesource are a Symantec gold partner, hold triple gold and silver competencies with Microsoft across cloud and a wide range of productivity solutions

References

Download now ( PDF - 10 Page - 213.72 KB )

Related documents

Evaluating the annual nature of juvenile rings in Bolivian tropical rainforest trees

We then used a combination of methods (evaluation of synchronous growth patterns in the tree-ring series, 14 C bomb peak dating and correlations with rainfall) to evaluate the

Who Is Regulated By The Fourth Amendment

Suspension serves that are regulated the fourth amendment was the scene may seize evidence, his weapon in state government supervision of people, and their fourth of unreasonable..

This SDS is prepared in accord with the SWA document Preparation of Safety Data Sheets for Hazardous Chemicals - Code of Practice (Feb 2016).

Conclusion/Summary : Based on available data, the classification criteria are not met...

The maternal hyperlactation syndrome

If breastfeeding by itself doesn’t effectively remove the thickened inspissated milk, then manual expression of the milk, or the use of an efficient breast pump after feeds will

Magnetic Field Dependent Electroluminescence and Charge Transport in Organic Semiconductors

CHAPTER 4 NEGATIVE MAGNETIC FIELD EFFECTS ON ELECTROLUMINESCENCE GENERATED BY TRIPLET-CHARGE ANNIHILATION IN ORGANIC SEMICONDUCTORS

03802_31_RNO

Number of cells in one Cell Set 2000 Number of frequencies in one recording 150 Number of stored recording results per OSS 100 Number of frequencies in a Frequency Set 150 Number

Organizational Conflicts of Interest Confusion Caused the FAR

The GAO stated: “With respect to the biased ground rules organizational conflict of interest, the ordinary remedy where the conflict has not been mitigated is the elimination of

The perversion of the absolute: religion and representation in Hegel’s Phenomenology of Spirit

In order to see more clearly how Hegel’s analysis of religion addresses itself to the problem of identity as a sublation of the “Moral World View,” I begin in Chapter 1 with a