You’re still responsible, but now you have more help.
It’s your responsibility to ensure compliance with PCI DSS, HIPAA, and other regulatory requirements. That doesn’t change when you move to the cloud. But reputable cloud service providers need satisfied customers to grow their business, which is why it’s in their best interests to help you maintain compliance using their services. Here’s how they’re partnering with you to successfully meet compliance policies.
Policy shift
Cloud service providers initially kept their focus on providing data storage in the cloud. Straight and simple. Yes, they always included security provisions. But it remained your responsibility to meet regulatory requirements. If you didn’t comply, how could they? Innovation and the need to grow the customer base has caused a shift in attitudes. Today, most cloud providers see the benefit of being an active partner in the compliance process.
Two big pushes
This attitude change by cloud service providers was accelerated by policies enacted to protect customer data. The result has been an alignment in two areas mandated by some of the highest compliance needs.
- An addition to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 redefined cloud service providers as a business associate of the companies using them. If your company must be HIPAA compliant, so does your cloud service provider.
- If your company processes credit card information, you must comply with PCI Security Standards (PCI DSS). The same goes for compliance with Payment Application Data Security Standards. Most online shopping sites are cloud-powered. It made good business sense for cloud service providers to adopt these standards, too.
Where’s the data?
If you undergo a compliance audit, you must prove the location of your data. You also must provide evidence of the protective measures in place.
Many compliance regulations and standards require the location of your servers to be in the United States. Cloud service providers have moved to accommodate and document this requirement for you.
On the financial side, cloud services have set up tokenization. It replaces credit card data with random numbers. This goes a long way towards achieving PCI DSS compliance. The tokenization is handled by a PCI-compliant payment processor. The non-PCI data remains with your cloud service provider.
It’s all about control
Most compliance requirements and standards ensure that system and data access is controlled and secure. During a compliance audit, a company must document every user’s access level, and how those access controls are enforced.
Again, cloud service providers have stepped forward to be partners in this process. Top, reputable vendors have programs in place to create the documentation of access levels.
This is especially important if your business must comply with regulations such as the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect customer information.
Encryption and multitenancy
This isn’t your problem, but it’s an issue for cloud service providers. To compete on price, they use shared virtual instances of software applications. It’s called multitenant architecture. Compliance enforces data protection. To make sure this happens when multiple businesses are sharing applications, cloud service providers now encrypt all data – no matter whether it’s being used or not.
While it’s a helpful second round of security, you remain responsible for data encryption. This is crucial, and it bears repeating: You must encrypt data to remain compliant with HIPAA regulations. Failure to do so puts your company at risk for being charged with negligence. HIPAA requires PII/PHI data stored anywhere to be encrypted and accounted for.
Look for vendors that offer Encryption as a Service (EaaS). This extra level of security allows you to integrate and guarantee acceptable encryption levels across the board.
An evolving partnership
You are ultimately responsible for meeting compliance and regulatory standards. It doesn’t let your cloud service provider off the hook, though. It’s in their best interests to step up and help you with this responsibility if they want to keep your business.
As HIPAA defines it, they are now your “business associate.” As such, they understand the necessity to be a partner. After all, they do become an extension of your IT department.
Companies who successfully navigate the compliance maze know it’s crucial to understand how their cloud service partner operates. They’re not hesitant to ask for documentation and regular audits. Their vendors are happy to comply.
Likewise, as competition heats up, cloud vendors have become proactive. It’s now easier to be complaint in the cloud because of vendor diligence and adaptation of the same compliance steps required for you. Like any partnership, though, neither side can let down their guard.
