Compliance – What a cloud provider needs to prove

Compliance means a lot of different things to a lot of different companies and people. And as much as compliance can sometimes be no more than a checklist, it’s always an important consideration when thinking about the cloud and your business, especially as you are deciding on a vendor.

Below there are few important Do’s and Don’ts when looking at a potential cloud provider to partner with, so knowing where you stand with regards to compliance is important.

Don’t

Never assume that you are fully aware of every compliance issue related to your business. There are just so many, and they are always updating: from HIPAA to PCI to NIST to FISMA to SarsOxley, SAS70 & SSAE-16 – the list goes on and on.

Do

Consider a cloud provider as your guide through the compliance labyrinth. Be open about your business goals, how your business runs, and the savvy cloud provider will be able to properly navigate through the different compliance requirements and architect an environment that best serves your business while ensuring your infrastructure underpinning your business is fully compliant.

Don’t

Definitely question any cloud provider who provides a simple answer with regards to compliance.

Do

It’s important to integrate with a provider who understands what the different types of compliances there are, but also the multiple levels within each kind of compliance. PCI Level 4 is vastly less restrictive than PCI Level 1, for instance.

Don’t

Simply looking at compliance from a technology perspective doesn’t nearly capture the scope of how it will impact your business and work load.

Do

Compliance is, to some extent, less about technology and more about access controls, procedures and policies. Finding a cloud provider that is amenable to adapting to your own protocols, or complements your own practices is a chief concern.

Don’t

Simply trusting a provider to provide a technology architecture solution that meets your business needs without having the ability to build the cloud your way can lead to a lot of compliance pain later.

Do

Make sure your hosting provider is capable of segregating your traffic from other clients, can implementing multiple levels of firewalls in your environment, offers intrusion detection services, provides log management services, and actively reported on reports to you on all these services.

Having access to the team at the cloud provider that does goes a long way to meeting your own compliance goals, while simultaneously offsetting the amount of work you will have to do.

For instance, if your business is just starting up and in an industry that requires compliance, working with the cloud provider giving you access to their reports, QSA’s, as well as their internal auditing teams who have already gone through the rigors and protocols of compliance documentation and work for you. Compliance is always tricky, but can be less of a burden with the right cloud partner.

Source: LogicWorks

Advertisements