Regulatory Compliance in the Public Cloud

By Paul Woodward, Blog Contributor
Share Post

Shared Responsibility of Cloud

It goes without saying in the year 2020 that your data is in the cloud. Some data you knowingly put there. You upload photos to social media or fill out forms on websites. But what about your data that you don’t know is stored in the cloud? Countless industries leverage public cloud to process and store everything from credit card applications to medical records. Thankfully, many of those industries have regulations and compliance policies they must follow to protect you and your information. However, with compliance comes complexity.Let's take a look at the ways compliance can be achieved in the cloud.

Compliance within public cloud starts at the foundation with the shared responsibility model. In this model, the cloud service provider is responsible for the maintenance and security of the hardware, as well as the software that acts as the operating system of the cloud. The customer is liable for the security of workloads and data in the cloud, as well as patching, upgrades and data protection. In the case of compliance, the provider guarantees the underlying infrastructure is up to the standards of many different regulatory bodies. (To read more about Microsoft Azure and Amazon Web Services regulatory compliance options, follow the links at the bottom of the article.) The onus on the end user is to follow guidelines as provided by the various regulatory bodies to which they subscribe.

When architecting a public cloud solution with compliance in mind, planning and research need to be top of the list. Each regulatory compliance law or policy with outline the technical requirements needed to be met. Some require lengthy data holds for up to years at a time, and some require dedicated hardware in the public cloud. Cost considerations need to be made, especially in the two cases presented.

Just a few of the questions to consider if the data has to be stored in the cloud for a lengthy period of time:

  • What is the quantity of data that needs to be uploaded to begin with?
  • What is the annual growth rate of the data to be stored in the cloud?
  • Does the data need to be encrypted?
  • How much bandwidth will the uploads consume?
  • How often will data need to be accessed in the cloud?
  • How fast will the end users need the data?

Once the public cloud provider has been chosen and the regulatory requirements have been implemented, the business is good to move into the cloud, right? Sure, with a catch. How do you maintain a regulatory compliant environment? With an ever-changing cloud implementation, monitoring becomes important. Newly deployed virtual servers will need to be hardened to the level that the regulators require. And let us not forget about keeping costs under control. Usage monitoring is critical to a successful cloud deployment.

Another big factor in maintaining a compliant public cloud is auditing. Regulatory bodies will conduct their own audits of the business environment at a regular interval. Ideally, the business is also performing self-audits at a far more frequent schedule. Public cloud providers do offer some built-in auditing services, but they may not cover all regulations or compliance requirements. The better route to ensure a successful self-audit would be to utilize a specialized software or engage an auditing service. In many cases, businesses have their own regulatory staff on hand to ensure continued compliance.

Regulatory compliance and public cloud can be done. And yes, there are a lot of steps that need to be taken do to it right. But properly executed, public cloud can help a business succeed in the modern data center era.

Learn More

Microsoft Azure Compliance

Amazon Web Services Compliance