As the scope of regulation continues to expand, global enterprises face the daunting challenges of safeguarding data privacy, minimizing security risks, and managing the scope of data growth. While platforms like Amazon Web Services (AWS) possess both the certifications, attestations, and infrastructure to handle corporate workloads, users must be familiar with their own regulatory environment so they can use these cloud services effectively.
Taking the first step
When considering a cloud-based data solution, you’ll naturally have many questions about the security of your data. Where is your data stored? Who has access to it? Are they the same people who manage the infrastructure, and are they internal employees or vendors of the provider?
If you choose a public cloud provider, you may have additional questions about security and how that provider protects data and addresses regulatory requirements.
These questions, if left unanswered, can turn into roadblocks for your migration to the cloud. So it’s imperative that your service provider address these concerns clearly and spell them out as part of their service-level agreements. After all, your organization is ultimately liable, so it makes sense to verify that your data is compliant and secure when stored in the cloud.
A Quick Guide To Regulation
While there are many regulatory bodies and frameworks based on industry and geography, these are the ones most likely to impact your company’s use of cloud services (and the security of those services):
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within an organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. Because the requirements set out in ISO/IEC 27001:2013 are generic and intended to be applicable to all organizations regardless of size or type, it is by far one of the most popular compliance frameworks.
Service Organization Control (SOC) is a set of accounting standards that measure the control of financial information for a service organization. SOCs are covered under both the SSAE 16 and the ISAE 3402 professional standards. While SOC 1 examines the financial reporting controls of an organization that provides services to end users, SOC 2 focuses on organizational controls based on trust-service principles that cover security, availability, processing integrity, confidentiality, and privacy. SOC 2 is a common method to evaluate security controls for cloud service providers.
The General Data Protection Regulation (GDPR) is a regulation from the EU Parliament to strengthen and unify data protection for individuals within the EU. The GDPR also addresses exportation of personal data outside the EU. The GDPR’s main objectives are to give EU citizens control of their personal data, simplify the regulatory environment, and standardize international business practices. When the GDPR takes effect in 2018, it will replace the EU Data Protection Directive originally passed in 1995.
Passed in 1996 and updated in 2009 and 2013, the Health Insurance Portability and Accountability Act (HIPAA) is US-specific legislation that provides data privacy and security provisions for safeguarding medical information. Title II of HIPAA impacts IT departments the most, as it directs the Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process used to ensure security is in place when accessing cloud computing products and services. FedRAMP uses security controls outlined in the National Institute of Standards and Technology Special Publication 800-53, which were specifically selected to provide protection in cloud environments. Prior to the introduction of FedRAMP, individual government agencies would evaluate and use their own cloud service providers according to the Federal Information Security Management Act of 2002.
The Payment Card Industry Data Security Standard (PCI DSS) was created in 2004 by the four major credit-card companies. It’s a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. In April of 2016, PCI DSS was updated with new requirements for the use of TLS encryption, multi-factor authentication, and new service-provider requirements for change management and penetration testing.
Why Do Certifications Matter?
Certifications demonstrate that a vendor has fully audited their technology, infrastructure, and processes to ensure that they meet applicable regulations. Though the motivations for compliance typically include the desire to follow the rules or avoid sanctions, other factors drive organizations to enforce compliance as well:
- Security: Regulatory compliance is most often seen in the form of security controls, including audits that help businesses remain in compliance, safeguard information, and assure clients they’re protected.
- Punitive, financial, or reputational impact: When an organization is responsible for the security and confidentiality of private or sensitive data, losing “positive” control of that information invites unintended consequences. Many regulations today specify financial, punitive, and even criminal sanctions in the event of a data breach.
- Brand reputation: Fines and prison terms aside, there’s a less measurable yet equally tangible effect of non-compliance: tarnished brand reputation. Customer trust and market share are precious commodities that can vanish in the aftermath of a security breach or regulatory violation—and, with the speed news travels on social media, today these commodities can erode even faster.
US Government Regulatory Compliance
For federal, state, and local government agencies and contractors, embracing modern data protection poses a unique set of challenges, especially when it comes to security requirements and cloud deployment. America’s cloud-first policy requires government agencies to use cloud computing wherever possible, to improve IT flexibility, boost efficiency, and reduce costs—all while adhering to the strict standards set by the National Institute of Standards and Technology. To enable these organizations to protect their sensitive mobile data, Druva inSync supports AWS GovCloud. GovCloud is an isolated region of the cloud designed specifically for federal, state, and local government agencies and contractors to protect their data in compliance with FIPS, ITAR, FISMA, and FedRAMP.
How Companies Leverage Cloud Certifications?
At some point organizations have to start implementing technology controls to meet compliance needs. So, what does that look like? At Druva, security is our highest priority. Druva has architected a cloud-native solution leveraging Amazon Web Services (AWS) and Microsoft Azure to take advantage of the best data center and a network architecture for the demands of the most security-sensitive organizations. Our web services meet compliance standards, and the infrastructures that AWS and Azure provide allow us go above and beyond. Our solutions are designed and managed to meet a variety of IT security standards, as seen in the following table:
Whether yours is a global enterprise or a governmental agency (or anything in between), organizations like yours face complex challenges: data privacy and security risks, the growth of data and the mobile workforce, and shifting privacy regulations. Druva combines complete data privacy and security with a transparent, intuitive user experience to deliver best-in-class data protection and regulatory compliance in the cloud. But don’t just take our word for it:
The Next Steps
To learn more about how Druva can help address compliance concerns by leveraging the unique capabilities of the cloud:
Download our report: Compliance in the Cloud