You can ensure cloud compliance with PCI DSS, HIPAA and other regulatory requirements, but it takes investigation and persistence to get the answers and documentation you need to prove it. Credit: Thinkstock Although businesses have a high level of control and customization with private clouds, using services on a public or hybrid cloud present compliance challenges. Cloud service providers (CSPs), however, have begun to see real value in helping customers achieve compliance, and processes are improving. But if you are looking to move data to the cloud–data that must meet compliance regulations—you still have your work cut out for you. For me to comply, I need you to comply Until recently, cloud providers focused on providing data storage and cloud services with some security provisions. The onus was on cloud customers to meet regulatory requirements or ensure that CSPs complied with regulations to protect data. [Related: CIOs Face Cloud Computing Challenges, Pitfalls ] The good news is that things are changing. Not only are certain public cloud providers paying more attention to helping customers achieve compliance, but the regulatory agencies and standards bodies have recognized the value and popularity of cloud services. New guidelines and compliance updates are spelling out safe use of the cloud. [Related: 8 Rising Stars in Cloud Management ] For example, additions made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 designate CSPs as business associates of covered entities, which means that CSPs must also be HIPAA compliant. The PCI Security Standards Council, the organization behind the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard recently published a detailed document that addresses cloud use in a PCI context. When researching CSPs, look for one with a standards-based cloud environment and a security program that meet the same regulatory policies and procedures you must comply with. Be sure to check the contract and service level agreement language carefully to determine how the provider meets cloud compliance requirements. Ideally, the CSP should be able to validate that they meet compliance requirements or standards, and can and will prove it in an audit. [Related: 10 top vendor-neutral cloud computing certifications ] Tip: Your CSP should have a security professional on staff who’s responsible for matching the CSP’s offerings with PCI DSS, HIPAA and other regulatory requirements. Where in the world is the data center? One of the major hurdles in maintaining compliance in the cloud is simply knowing where your data is located. During an audit, you need to prove the location of your data along with the measures that are in place to protect it. Be sure to ask prospective CSPs for documentation that shows the location of their servers, which should be in the United States, according to many regulations and standards. If a CSP isn’t willing to divulge that information, move on to another prospect. Even if a regulation doesn’t require that a server resides in the U.S., a server in a foreign country may be subject to the laws of that foreign government, which can present privacy issues. [ Related: Amazon Hits 5-Year High in Cloud Market ] As a workaround for PCI DSS compliance, some CSPs offer tokenization, which replaces credit card data with random numbers, or tokens.”Tokenization is handled by a PCI-compliant payment processor, while non-PCI data is handled by the CSP. Access control is key Much of the heavy-lifting in regulatory IT compliance comes from ensuring that proper controls are in place over system and data access. During an audit, an organization must be able to prove the level of access that each user has and how those levels are maintained. Therefore, it’s crucial for a CSP to have sound access controls in place and to implement them properly. Ask prospective CSPs if they are willing and able to prove that they implement separation of duties for administrative functions, can provide documentation showing which users had access to a system and when, and what each user could access. This information is important to comply with many different regulations, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect the security and confidentiality of customers’ non-public personal information. Encrypt data at rest and in motion One of the security issues associated with CSPs is multitenancy. To keep costs down, many CSPs use a multitenant architecture in which several customers share a virtual instance of a software application. With this type of architecture, the CSP must be able to prove the security measures that prevent one customer from accessing another customer’s data. However, any data stored or passing through a cloud service should be encrypted to meet most compliance requirements. If the CSP applies encryption, find out what type of encryption they use, and how and when it’s applied. Don’t assume that the CSP is fully responsible for data encryption, though. You’re ultimately responsible for the protection of data in motion and data at rest. The CSP is merely providing a service to help you meet those requirements. Some organizations store data in their on-premises data center and use the cloud for additional storage or processing. In those cases, it’s often best to encrypt data in the data center before it hits the wire. Note: Per HIPAA requirements, data stored on hard drives (including those of a CSP) must be encrypted, in addition to backup copies, and each drive must be accounted for at all times. Your CSP, your partner There’s a lot of competition in the cloud services industry. With pay-as-you-go prices already very affordable, CSPs need to promote other features to make themselves more attractive and earn your business. One way is to become a partner to your organization, an extension of your IT department. In doing so, it’s worth your time to learn about the CSP’s security processes, incident response and disaster recovery procedures, how issues are escalated, how they handle log files and the like. Moving on Application design, monitoring, incident response and disaster recovery are important considerations as well. Be sure to address them with any prospective CSP. Even with your best due diligence efforts, regulatory policies will change over time and force you to reexamine your IT infrastructure and future plans. Be sure to include your security team in any policy or procedure modifications, and good luck with your cloud initiative. Related content news Fortinet brings AI help to enterprise security teams Fortinet Advisor aims to help customers respond to threats more quickly By Michael Cooney Dec 11, 2023 3 mins Network Security how-to Getting started with scripting on Linux, Part 1 Once a script is prepared and tested, you can get a significant task completed simply by typing the script's name followed by any required arguments. By Sandra Henry-Stocker Dec 11, 2023 5 mins Linux feature Starkey swaps out MPLS for managed SD-WAN Hearing aid manufacturer achieves performance boost, increased reliability and cost savings after a shift from MPLS to managed SD-WAN services from Aryaka. By Neal Weinberg Dec 11, 2023 6 mins SASE SD-WAN Network Security news Nvidia races to fulfill AI demand with its first Vietnam semiconductor hub Vietnam has been a growing tech manufacturing destination for the past few years, and Nvidia said it is open to a new manufacturing partner in Vietnam. By Sam Reynolds Dec 11, 2023 3 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe