If you’ve been employed in a formal engagement of some kind, it’s likely that you’re familiar with the idea of regulatory compliance. Remember when you were signing what seemed to be a thousand documents the day you accepted the job? Well within a few of those pages lie specific instructions on how to safeguard sensitive information and protect the privacy of those individuals in the process. This includes guidance on the proper way to store this information, access and share it, as well as the procedure to report a data breach should one ever occur.
For example, the Health Insurance Portability and Accountability Act, or HIPAA, is regulatory legislation for the healthcare industry that was signed in the 1990’s to protect the privacy of patients. The law is holistic in nature, meaning it enacts protection for patient information regardless if it is stored via hard copy or digitally, and whether or not it is shared. To drive accountability in protecting patient’s medical records and other confidential data, healthcare providers and their partners will be fined heavily for non-compliance. In certain circumstances, criminal charges have also been filed against negligent parties.
Compliance rules can be different if you work in government (FedRAMP), manufacturing (GMP), or real estate (CFPB), and can also be impacted by whether or not you collect payments from cardholders (PCI-DSS). With that said, you can also find yourself on the hook for many compliance regulations if your organization wears multiple hats. And as if the compliance landscape wasn’t already a minefield, technology innovations have added yet one more layer for professionals to account for: the cloud. This means you now have to mitigate risks on devices you own internally, while also addressing the risks of data stored in third party environments. Impossible? No. But the task ahead won’t be easy. You’ll need a lot of discipline and the help of some strategic partners. With that said, we’ve outlined 5 tips to ensuring data compliance in the cloud:
Type of Cloud
Despite being obvious to some, the first tip is to have a firm understanding of what type of cloud your organization is using, the subtle nuances, and whether or not unique regulations apply. For example, storing data in a private cloud that uses your internal data center resources is probably the least risky option when discussing cloud storage. This is because of the single tenant nature of the deployment. In this scenario, only your organization’s data utilizes the infrastructure. An alternative to this would be to use a public cloud solution provided by AWS, Microsoft, or Google. These multi-tenant architectures will likely cost less because you are sharing infrastructure capacity and resources with other organizations. Though widely-adopted in the market, this method of consumption is less secure in theory. Leveraging public or hybrid clouds is not necessarily detrimental but definitely should be taken into consideration when thinking about compliance.
Access management for your staff is a vital function for successful data protection. Given the sensitivity of your user data, you don’t want just anyone having access to anything. Build policies to ensure that your staff has the least privileged access for what they need to access. Enact need-based access policies so employees get access to specific resources only for a limited time. Access that expires after a certain duration minimizes the window for executing attacks. Regularly perform audits according to your business requirements to ensure only valid users exist in the system. Lastly, you must also be able to demonstrate that permission-based access has been implemented. This validation is critical in some industries.
Service Provider SLAs
In addition to your own staff, you need to ensure that your cloud provider is aware of and has the capacity to service your needs as they relate to achieving regulatory compliance. This action item is not something you can leave to chance or make assumptions because of your provider’s reputation. The service level agreement with your cloud provider(s) must be very clear on roles and responsibilities, incidence response execution, and data breach remediation. Everything agreed to with your provider must be in line with the regulations governing your organization. You must also have the option to modify your SLA to accommodate changes in compliance needs.
For any business in the digital era, data is the most valuable asset. You want to make sure the right measures are taken to secure your data. Ensure that you have encryption enabled at rest. This tactic ensures the data cannot be tampered with if access credentials ever reach the wrong hands. Leverage a key management service or HSM to encrypt the data on the disk or in the database. When data is in transit, make sure data moves over SSL end to end. This can help prevent any data theft in the middle. As part of operation and support, think of a hashing mechanism so that customer identities are not disclosed. If encryption will be provided by your cloud vendor, get thoroughly familiar with the process. Understand exactly what type of encryption they offer and the granular details involving implementation.
Regions & Availability Zones (AZs)
Depending on your industry, you may also need to comply with data geography guidelines. This refers to where within your providers national or global infrastructure the data is stored. More often than not, sensitive data will need to be stored within the country of origin. If you are ever audited by a compliance governing body, you will also need to demonstrate that the data is indeed stored where it needs to be.
Pretty comprehensive list, eh? We think so too. But unfortunately, you’re still not in the clear just yet. The last outstanding item we haven’t addressed involves multi-cloud environments. In today’s digital economy, the reality is that organizations utilize more than one cloud provider to achieve their business objectives. A large manufacturer for instance, could leverage AWS for certain workloads and Microsoft Azure for others. Not a big deal on the surface. However, while cloud service providers generally offer tools to address your compliance needs, they can only do it for their solution. Which means that your compliance coverage is incomplete as you have siloed snapshots instead of holistic visibility.
So how do you get holistic support for regulatory compliance in the cloud? Nutanix Xi Beam maintains cloud security compliance for regulatory standards like PCI-DSS, HIPAA, CIS, and more for AWS and Azure clouds. You can use customizable compliance policies and audit checks to meet specific compliance needs. Also monitor your performance with detailed analytics and reports. Today, Xi Beam performs audits every 24 hours and also allows you to set audits at scheduled intervals. With more than 200 automated audit checks and built-in security compliance policies, Xi Beam gives you unparalleled insight into your multi-cloud environment. If you’re interested, you can get a free 14-day trial of the platform to test it out for yourself:
Disclaimer: This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
© 2019 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and the other Nutanix products and features mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).