The battle between compliance and the cloud
The cloud continues to transform how businesses operate and, along with the increase in cyber threats, compliance is causing major headaches for many IT professionals
Short of time?
The beauty of the cloud is that it seeks to enable a business to become more agile, efficient and competitive, yet compliance seeks to restrain it. And this is what is preventing some businesses from making the most of the cloud.
Recent research from NTT Com Security revealed businesses across the globe are wary of the using the cloud. A worrying 86% admitted that issues around data protection, legislation and regulation are responsible for cloud computing being adopted more slowly than they would like.
You only have to look at the publicity surrounding the NSA and PRISM revelations and compliance, data sovereignty laws and regulation requirements from authorities like the Information Commissioner’s Office (ICO).
With these increasingly complicated data laws, it’s becoming something of a minefield for businesses looking to embrace, or experiment with, the cloud.
The role of compliance
We use compliance to improve business and corporate governance and it’s important, considering what has happened in the last few years. It also helps improve approaches to risk management, enabling businesses to understand risks of using the cloud and what processes and measures they have in place to protect themselves.
What needs to change, though, is for compliance to look forward and work with businesses and governments. In this age of the cloud, IT professionals face a myriad of laws including the ICO’s guidelines putting the security responsibility on the business owning the data, instead of the third party cloud provider.
To further complicate compliance in the cloud, businesses selling online must consider the requirements from the PCI DSS (Payment Card Industry Data Security Standard). All businesses are also required by law to notify data owners if their personal data is being collected and secure data from potential abuses.
Going back to basics
Some organisations are making assumptions on the skills required to develop, design and deliver secure cloud services. Too many are trying to apply risk procedures, controls and regulations to a cloud business model, which they don't truly understand.
Wrongly, they apply old world compliance methodologies to new world business models – only to soon decide that they can't use the cloud effectively because of compliance. Instead, they need to go back to basics. That means better understanding the cloud before applying these controls, and the same applies for cloud providers, which need to embed security into their services.
IT professionals that do understand the correct way to merge the cloud and compliance see good cloud skills as the priority. Companies hesitant about adopting the cloud should follow suit. With the right knowledge, businesses can then explore the technology and how it can improve their operation, and apply the necessary controls to manage risk.
So how can businesses avoid the battle? Good knowledge of security and risk management is key. Cloud and compliance might not get on well together but, with the right approach and in the right order, they can work in harmony.
Sourced from Garry Sidaway, global director of security strategy, NTT Com Security