Many organizations have looked to cloud and colocation to push some of their most critical workloads outside of their own data centers. Now even workloads bound by compliance regulations can find a home in the cloud. The good news: compliance, regulations, and cloud can all live together harmoniously.
But it’s not always easy. For organizations worried about compliance, cloud can be a challenging maze to navigate.
“Financial firms remain under pressure from regulators to improve the effectiveness of their compliance and risk management analysis and reporting,” said Bill Fearnley, research director, Compliance, Fraud and Risk Analytics at IDC Financial Insights. “To stay ahead of bad actors and improve their compliance and fraud detection programs, financial firms are increasing investments in analytics tools and new sources and types of data.”
If you plan out your workloads properly, compliance and regulation shouldn’t be an issue. In my experience, I’ve worked with healthcare, pharmaceuticals, and even government agencies in their journey to the cloud. They’ve each found success in their own ways and use cases.
Choosing the Right Partner
A great way to start would be to work with a cloud or colocation partner that can help you navigate the cloud compliance ecosystem. Moving workloads to the cloud isn’t always a smooth process. You need to think about the following:
- Latency and user experience. Even if a colocation or cloud provider may have compliance and regulation requirements met, it doesn’t mean they can support user requirements. Geographic locations, proximity to users and data, and application performance are important factors to consider as well.
- Working with locations and specific regions. You will have different requirements around where data can reside and how it’s accessed. Your data center partner should be able to accommodate your requirements around data location and user access.
- Working with data security and segmentation. Compliance is one thing – good security practices is another. Make sure you follow security best practices and ensure that you have good visibility into your entire environment. Compliance and regulation alone does not equal security. You still need to take that into consideration.
A good partner will help you work with hardware and connectivity options as they design an architecture which fits with your specific use-case. The most important piece of advice here is to map out your requirements and work with a good partner who can align with those business needs.
Aside from those compliance and regulations mentioned here, there are a lot of others as well. This includes ISO 9001, 27001, FIPS, SOC 1/2/3, GDPR, FISMA, NIST, and many others.
Cloud and colocation partners are offering up a lot of options when it comes to selecting the right kind of hosting option for your organization.
Government
Take FedRAMP, for example. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry. Today, cloud providers like IBM, HP, Microsoft and Akamai are offering FedRAMP cloud services. AWS takes government workloads even further by offering services for Criminal Justice Information Services, DoD Data Processing, and even services for Federal Financial Institutions.
For those leveraging AWS, this kind of offering enables military organizations and their business associates to leverage the secure AWS environments to process, maintain, and store DoD data. AWS has attained provisional authorizations from the Defense Information Systems Agency (DISA).
Similarly, Microsoft was granted US Federal Risk and Authorization Management Program P-ATOs and ATOs. Furthermore, Microsoft received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2. This allows their cloud ecosystem to support a variety of different types of workloads.
Public cloud providers aren’t the only ones supporting government entities. Digital Reality’s FISMA NIST SP 800-53 supports security and privacy controls for federal information systems and organizations. Special Publication 800-53 provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government.
Digital Realty’s SOC 2 reports contain mapping to the NIST SP 800-53 moderate controls, showing how these controls are addressed in the SOC 2 report.
Healthcare
Healthcare has seen one of the biggest shifts into colocation and cloud services, and it’s happening for great reasons. Institutions that are ready to distribute their IT ecosystem can find big benefits from working with a solid colocation or cloud provider. Just a few years ago, HIPAA compliance was a cloud nightmare. However, the HIPAA Omnibus Rule, which was finalized in January 2013 and went into effect on March 26, 2013, improved patient privacy protections, gave individuals new rights to their health information, and also strengthened the government’s ability to enforce the law.
The changes to HIPAA (the Omnibus Rule) allowed for the creation of a business associate (BA). This is any organization that has more than just transient access to data (FedEx, UPS or USPS for example). Those organizations that took the time to sign the business associate agreement (BAA) allowed them to take on additional liability to manage protected healthcare information (PHI). One example of this would be Citrix and ShareFile Cloud for Healthcare which allows healthcare organizations to collaborate with their data both on-premises and in the cloud.
Others are also helping healthcare organizations move to the cloud. And, again, you don’t have to go with public cloud alone to make this happen. For example, NTT Communications and their data centers have successfully completed an independent examination of its data center Information Security Program for Colocation Services Related to HIPAA and HITECH.
NTT America Data Center information security program adopts essential elements of the Health Insurance Portability and Accountability Act Security Rule of 2003 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 including applicable components of administrative safeguards, physical safeguard, technical safeguards and breach notification requirements.
From a public cloud perspective, AWS and Azure offer great healthcare cloud options as well. For example, Azure is certified to the Health Information Trust Alliance Common Security Framework. Furthermore, Microsoft offers Health Insurance Portability & Accountability Act Business Associate Agreements (BAAs).
Finally, for specific kinds of workloads, AWS offers quite a few options. This includes options for genomics, biotech & pharma, and even options for healthcare providers & insurers.
If you’re in the healthcare field – don’t shy away from healthcare cloud options. Working with a good partner will allow you to map out your workloads and applications to ensure you fit into the right use-case.
E-Commerce, Payment Processing
PCI DSS has come a long way. Organizations which process payments can now leverage cloud and colocation options for their workloads. According to Rackspace, when you host your infrastructure in their cloud, you can also sign up with a separate payment processor to provide tokenization, which occurs when you replace credit card data with meaningless numbers or “tokens.” When you accept a payment, non-PCI data is routed to your Rackspace-hosted environment, while the tokenized credit card data is routed to your payment processor. Since your customers’ credit card data is not routed to your Rackspace hosted infrastructure – only the payment processor – your Rackspace environment stays out of the scope of your PCI requirements.
Similarly, according to NTT, because PCI is a shared responsibility, NTT America’s Colocation environment has been assessed against the applicable PCI Requirements (9 & 12) and found to properly restrict physical access to cardholder data and maintain information security policies.
Azure, AWS and numerous other cloud providers work with PCI DSS and comply with Payment Card Industry Data Security Standards.
Aside from those compliance and regulations mentioned here, there are a lot of others as well. This includes ISO 9001, 27001, FIPS, SOC 1/2/3, GDPR, FISMA, NIST, and many others.
Before you move a workload to the cloud, make sure to do a full analysis. Know the cost what the architecture will look like, and how the economics will work for your company. However, when you do find that right use-case with the right type of economic model – moving to a compliance or regulation cloud model can have a lot of benefits.
