Compliance and the Cloud

by Tom McAndrew, VP, Professional Services, Coalfire

Today, companies across every sector of the marketplace are rapidly moving their data and IT assets out of expensive, inflexible data centers into agile, on-demand cloud environments. It’s a hot topic right now, yet most people can’t even define what “The Cloud” really is. As I talk to more companies considering the move, the two concerns that consistently keep them from going forward are security and compliance. The bottom line, however, is that cloud computing will soon become the IT standard, and companies need to get the right information and focus on the right priorities. Of course, security and compliance are key. But the question you need to be asking is not, “Will I be secure and compliant if I move to the cloud?” but rather, “What do I need to do to be secure and compliant when I move to the cloud?”

No Two Clouds are the Same

The switch to cloud computing is inevitable for most companies, and choosing the best cloud environment is a huge decision. To get it right, your IT auditor must interpret your regulatory requirements and assess the controls of the cloud services you are considering to see if they meet your needs based on the size, complexity and focus of your business. The problem, however, is that there is little consensus and almost no guidance in the audit community on how to accurately assess an individual cloud services provider. Despite that, there are two simple steps you can take to safeguard your migration and make sure it’s successful.

Get It in Writing

First, you must compare the service provider’s contracts with the regulatory needs of your business. The provider must acknowledge in writing their responsibility to protect your data. Contracts must stipulate that the provider understands the exact type of data they are dealing with, will guarantee its protection, will notify you immediately if there is a suspected incident, and will fully cooperate with any investigation. Surprisingly, the majority of cloud providers do not offer this basic level of assurance, though many new cloud models are being developed to deal with this shortfall.

Know Your Stuff

Second, you must ensure all your stakeholders, including external auditors, regulators, and IT staff, understand what they are dealing with. Cloud computing is a relatively new concept, and key players often demonstrate varying levels of technical knowledge and comfort. To make the move secure, your auditors must have a solid understanding of hypervisors, virtual switches, mixed-mode and multi-tenancy environments. Proficiency in virtualization, application security, and encryption will soon be required skills for all IT auditors.

Cloud computing is here, and it is only going to get bigger. While the standards of this newest IT evolution are still being established, there is no need to let uncertainty slow your migration. With a fundamental knowledge of cloud environments and a well-trained auditor, your organization can successfully lead the charge to the agile, on-demand world in the cloud.