For many years, cloud providers had a lot of security provisions and compliance regulations. In addition, public cloud providers were not helping their customers follow compliance. New guidelines are finally available that expresses the safety uses of the cloud and the value that it can provide for businesses. With these new guidelines, it’s important to make sure CSPs (Certified Systems Professional’s) are following regulations so your cloud is protected.
How can you begin to make sure that your CSPs are compliant and following regulations? Be sure to look for a CSPs with a contract that includes language that expresses how the provider meets cloud compliance requirements. The CSP needs to be able to validate in an audit that they meet compliance requirements. It’s also equally important to know what to ask when reviewing a cloud contract.
During the audit, find out if the CSP has a professional security staff. This is important because they should be able to prove how each staff member is maintaining their sound access control.
Does the CSP’s offerings match with PCI DSS and HIPPA requirements? CSPs must be HIPAA compliant. Here is a detailed document that addresses cloud use in a PCI context.
Be sure they also prove the location of your data and how they will protect it. Your prospective CSP needs to have documentation that shows the location of their servers in the United States. If they express that their server resides outside of the United Sates, there could be privacy issues if another country is subject to laws of their own foreign government.
In order to keep costs down, many CSP’s use multitenancy. Multitenancy is where multiple applications operate in a shared environment. A single instance of software may run on a server of multiple tenants, where customers share virtual software applications. When they use this multitenancy, they must be able to prove they have security in place to prevent one customer from another customer’s personal data.
With any prospective CSP, application design, monitoring, incident response and disaster recovery are just as important to take into consideration. Regulatory policies will continue to change, so be prepared to constantly examine your IT infrastructure.