bluesource
Being compliant in the cloud
Tim Walwyn
, Principal Technology Strategist at bluesource
Being compliant
in the cloud.
A framework to guide your thinking
and protect your business as you
consider a move to the cloud.
Overview
If you answered “yes” to any of these questions then this bluesource briefing is for you. In the next few pages we explore some of the most common questions and concerns IT teams have around compliance, when making the decision to move to the cloud.
You’ll find a practical guide that shows how the cloud stacks up against on-premises environments and a readiness assessment, for you to apply to your organisation, to help determine how best to make your move to the cloud. Crucially, you’ll learn that for most, if not all, organisations moving to the cloud is fully compatible with most compliance requirements, common in business today.
Are you considering moving some of your IT
services & systems to the cloud, but not made
that move yet?
Are you nervous about the data you have to move,
loss of control and the risk of non-compliance?
Are your business units already using cloud
services without central IT approval and you’re
concerned about security, management and
monitoring?
bluesource
Being compliant in the cloud
Simply, compliance is to data what health and
safety is to your people. When moving services
and the associated data to the cloud, businesses
need to consider how that data will be moved and
held in the cloud to be compliant with laws and
industry regulations.
Storing data on-premises may not be a perfect solution but it’s one we all know and trust. Cloud data services, by contrast, hold extraordinary promise but for many feel untested and risky when it comes to meeting your compliance requirements.
But while a fear of the unknown is only natural, the truth is that users of cloud services are usually not breaking compliance requirements. In fact, the opposite is often true, and more and more businesses are starting to realise it.
Old limitations concerning compliance process are now also mostly obsolete, with most cloud solutions able to work with your existing process. If the cloud is the way of the future, then business and IT success will depend on reinventing some of our longest held beliefs and behaviours. It will necessitate a shift from:
And, this means embracing the cloud.
Legacy first
Visible
Control
=
=
=
Digital First
(“why not cloud” step into all planning)
Valuable
Vision
Cloud
Compliance:
What Does It
Mean?
A New Frontier
Compliance Requirement
On Premises
Cloud Solution
You need to know
where all of your
information is
You have core services in place and identified, however legacy and/or rogue IT can be a negative influence.
You have well defined cloud services and/or providers each with a known subset of information.
You need to know
who has access to it
Many services provide access by default to all users who are part of your domain.
Cloud services typically subscribe individual users to gain access to specific information sets.
You need to easily
find information
An enterprise search solution such as SharePoint typically needs to be in place.
Exactly the same process as on-premises .
You need to revoke
access to information
as required
Simple, via Active Directory permissions for internal users – but what about external users or partners?
Assuming synchronised directories and/or single sign-on solutions, this is typically managed via your internal Active Directory permissions, with the added benefit that external user access can be managed in the same place.
Cloud V. On-Premises:
Weighing the Benefits
With the scrutiny that cloud service providers find themselves under, it shouldn’t come as a surprise that they are often more secure and closer aligned with many compliance considerations than your existing on-premises solution.
bluesource
Being compliant in the cloud
Compliance Requirement
On Premises
Cloud Solution
You require high levels of
backup/data retention
You will need to implement robust backup strategies for all on-site data.
It’s common for this to be included by default with many cloud services, though it’s important to ensure your cloud service has a built-in exit strategy or gives you the ability to granularly restore information.
You need to perform
eDiscovery searches
on your data
You’ll choose an eDiscovery tool that can access your on-premises data stores such as file servers, archives and email.
Different cloud solutions support different eDiscovery tools, making it important that you consider this functionality when choosing a solution if you have specific needs.
You need to add capacity
to your archive
With on-premises archiving, you’ll need to purchase additional infrastructure when additional archiving and storage is required.
Additional cloud storage capacity will come at an extra cost, but in most cases can be easily added to your account.
You need to migrate data
to a different location
Prior to migrating data, you need to define which data is to be moved, who has access to it, and where it will be moved to.
When migrating data to the cloud it’s important to consider the compliance and regulatory requirements related to that data and whether your cloud service is suitable. A hybrid approach can be used where only some data is in the cloud, depending on your specific compliance requirements.
As we can see, on a technical level both on-premises and cloud services generate similar concerns and offer very similar opportunities for meeting compliance requirements. In fact, when you consider the burden of trying to keep up with new requirements and challenges it’s arguable that in many cases the cloud can actually offer a superior service.
For example:
• Internal systems are trying to compete with dedicated specialist security teams provided by cloud service providers. Proactive cloud security teams can offer greater security in the cloud than on-site with your often over-stretched internal teams.
• Traditional on-premises support typically focuses on stopping unauthorised people from accessing your network. However, for many organisations the biggest risk today is well-meaning employees using technology incorrectly or falling victim to malware. Cloud services do not discriminate between internal and external employees, meaning staff cannot automatically skip past a number of security layers just because they’re internal.
Of course, the truth is that even if you’re seriously considering moving to the cloud, the reality for many organisations is to run a hybrid approach, using both on-premises and cloud services. Although at first glance this may feel complex, it really doesn’t need to be.
Cloud
Readiness
Assessment
Before choosing
the right approach,
whether on premises,
in the cloud or a hybrid
solution, a simple
cloud-readiness
assessment can help
you to consider how
sensitive your different
data sets maybe and
whether they are a
candidate for the cloud.
1) Where does my data need to reside?
Moving IT services to the cloud means that data
previously held by the business and controlled by internal
security is now subject to external security, so the obvious
questions of who is looking after our data, who can see it
and who can access it will naturally arise.
Although whistle blowing, government and other investigations have increased the awareness of these core questions, where your data resides is core. Ensure that you fully understand the data legislation requirements of all geographies you operate in and what rules exist for keeping certain information within a given geographical jurisdiction. This will be key in determining a) the suitability of a cloud provider given data hosting locations b) what data should be kept on-premises.
2) What specific regulations exist for my business?
The geography and industry you operate within will undoubtedly have their own legislation and regulations. For your on-premises environment these will have been covered as a matter of course, but making your move to the cloud enforces a discipline to review them and make an assessment of your how your cloud provider stacks up and if indeed they already have them covered. Bear in mind that many cloud solutions may already meet your requirements. For example, the regulations currently supported or certified against Microsoft Azure include:• ISO 27001/27002 • United Kingdom G-Cloud
• SOC 1/SSAE 16/ISAE 3402 and SOC 2 • Australian Government IRAP
• Cloud Security/Alliance CCM • Singapore MTCS Standard • FedRAMP
• HIPAA • FISMA
• US-EU Safe Harbor Framework /
In addition to the above certifications, specific technologies such as ‘individual file encryption at rest’ are commonplace for cloud based services, particularly with Software as a Service (SaaS) implementations.
6 Questions to Help You Decide
• FBI CJIS (Azure Government) EU Data Protection Directive • PDCI DSS Level 1
• EU Model Clauses
• Food and Drug Administration • FERPA
• 21 CFR Part 11 • FIPS 140-2 • CCCPPF • MLPS
bluesource
Being compliant in the cloud
3) How much of a problem is Rogue IT
in your organisation?
With business units increasingly by-passing IT when
making IT spending decisions, this problem has reached
near epidemic proportions. The result is central IT
departments aren’t necessarily aware of what
on-premises vs cloud based activity is going on within their
organisations.
For example, an internal employee may buy a subscription on a popular cloud storage service using their company credit card. They do not read the numerous terms and conditions in detail (or at all) but sign up anyway. The organisation then discovers that through the use of this service the employee has unwittingly loaned all intellectual property rights for the content stored on the service to the service providers. And before you know it you have a BIG compliance concern. The first key step in combatting this problem is by doing a thorough audit of all rogue IT activity within your organisation so you can start to get back in control over what potential data leakage and compliance breaches your organisation may be facing.
The good news is that there are lots of tools and solutions to detect, audit and control rogue IT within an organisation. The challenge is what to do with the intelligence that is gathered, which typically requires replacing the rogue IT services with equivalent, approved services. Organisations can put technology in place to automatically detect and block access to new unapproved services or flag suspicious activity such as an employee uploading a large spike of information to an external data service.
Cloud
Readiness
Assessment
5) How do you migrate your data?
Ensuring cloud compliance requires your journey or migration of your data to the cloud to be equally compliant. This is a critical component of your cloud strategy and is often considered a simple delivery task that can be performed, using off the shelf software. But this is a task that should not be under-estimated. It can be highly challenging, time-consuming, complex, especially when migrating huge data volumes.. Doing this properly is essential to protect your data, ensure chain of custody and maintain compliance.
6) How much eDiscovery does your business require?
One other aspect to consider as our world becomes more litigious with legal cases and regulator demands is e-discovery in the cloud. The key consideration here is; How do I get data back if I need to produce data in a court of law? Can I access data in a timely manner and how sophisticated can searches be. These are important considerations from a broader compliance standpoint and should be considered in your cloud readiness assessment.Cloud
Readiness
Assessment
6 Questions to Help You Decide
4) What does your data landscape look like?
Moving IT services to the cloud provides the catalyst for understanding what data you have across the organisation and identifying any compliance gaps in how your organisation currently manages information. With the right tools you can gain visibility of all your unstructured data, analyse it and put in place data use and access control policies which together will help improve compliance and reduce risk and only make your systems stronger. With this understanding you can determine how sensitive different information is and whether your organisation can move its data to the cloud in its entirety (and on which platform) or if a hybrid cloud/on-premises solution is more practical.
bluesource
Being compliant in the cloud
Moving
Forward:
Your Cloud
Compliance
Journey
Although meeting compliance obligations in a cloud-first
world can at first glance seem daunting, we hope we’ve
helped you consider that a move to the cloud is not the
compliance headache you may once have considered –
and might even alleviate a few.
The benefits of moving to the cloud are both direct to your employees (ease of access to information) as well as to your IT teams (ease of security, data retention and compliance).
And there are numerous approaches and options available to you, letting you control your information and empower your employees.
If you’re considering moving to cloud services, contact
bluesource to discuss your compliance considerations and
what approach will best enable your organisation to get the
most out of the cloud.
Get in touch to find out more:
Address: bluesource, 122 Tooley Street, London SE1 2TU
Tel: +44 (0) 845 319 2100
UK & EMEA (HQ)
122 Tooley Street, London SE1 2TU UK Call 0845 319 2100 Email sales@bluesource.co.uk www.bluesource.co.uk US
1900 Enchanted Way, Suite 225, Grapevine, TX 76051
Australia
Suite 7, Level 3 142 Clarence Street Sydney, NSW 2000
About The
Author
About
bluesource
Tim Walwyn is the Principal Technology Strategist at bluesource. Our leading expert on cloud computing, Tim advises clients on best practice and the most effective approach to cloud adoption and migration. Tim’s strengths include business process design, cloud decision frameworks, hybrid cloud implementations and automated workflows.
If you’re considering moving to the cloud, contact bluesource to discuss your compliance considerations and the most appropriate approach for your business
bluesource helps organisations to drive productivity improvements by making information more accessible, specialising in technologies across Information Management, Collaboration and Universal Communications. We help preserve and protect the information that needs to be kept and surface it quickly for compliance, eDiscovery or general business use. We also help business move information through their organisation, automating its flow and making it easy for people to collaborate and communicate, anywhere on any device.
With 15 years’ experience as custodians of enterprise data, working with FTSE 100 businesses and those that operate in highly regulated sectors, we have expert insight of how information management and productivity technologies can be optimised in the cloud, on-premises or in hybrid environments. Through experience gained in our own service management centre we guide clients on the right management choice for their business as demands for ROI and cost predictability increase.
bluesource are a Symantec gold partner, hold triple gold and silver competencies with Microsoft across cloud and a wide range of productivity solutions