Cloud compliance is an issue at the forefront of IT departments in industries as diverse as financial services, government, healthcare and retail. Regulations and standards including PCI-DSS, HIPAA and SOX require ever-more stringent controls and reporting, leading many enterprises migrating to the cloud or evaluating their current cloud services to seriously question their compliance statures and ensure they are compliant with legal and industry regulations.
Managed service providers (MSPs) who specialize in cloud compliant hosting, like HOSTING, welcome these questions as they frequently lead to deeper conversations and understanding. MSPs who are not in tune with compliance regulations will try to deflect any questions or talk around them. It’s up to you, as the IT professional, to force your MSP to come to the table with the cloud compliance answers you need to protect your organization and its customers.
Following are some questions to ask to begin the cloud compliance conversation:
1. What information and data do you store?
2. Where do you physically store it?
3. Who has access to it? And what controls are in place to prevent unauthorized access?
4. Are they external or internal to your company?
5. What are the levels of access?
6. Who decides the levels of access?
7. What access do you provide to logs?
8. What terms – if any – are written into the service level agreement (SLA) regarding compliance?
9. What is my role in the protection of our data and information? What is your role?
10. How many compliance audits have you helped your customers through?
Quite obviously, these are just a start to the compliance conversations you should have with your current MSP or any MSP you’re in the process of evaluating.
It’s also critically important to ask what the provider’s ‘exit procedures’ are in case you decide to move to a different provider (e.g., how they will assist and how they will ensure removal of your data out of their systems).
Given that compliance varies from industry to industry, country to country and even state to state in some instances, it is vital that you have a qualified MSP with an on-site Chief Information Security Officer (CISO) to guide you. And even if your specific industry isn’t regulated yet, it just makes more sense – and provides more security – to go with a provider who is already providing cloud compliance.
As the leading provider of compliant cloud solutions, HOSTING has developed a number of white papers, blog posts, webinars and podcasts to help you understand both the big and small pictures to determine and assess risks. Some good places to start include Safeguarding PCI Data in the Cloud and Meeting Healthcare IT Challenges Head On. More insight and analysis can be found under the resources tab in the top left corner of the website.