Where is Your Cloud? Four Compliance Best Practices

You may establish channel relationships with other online providers that can cover compliancy concerns for you

If you think the phrase "It's in the cloud" means that your data resides on the Internet and is thus accessible everywhere equally, think again. Most infrastructure-as-a-service (IaaS) cloud services share the same residence model as traditional hosting and outsourcing deployments -- they live in specific data centers in specific geographies. This means that customer data is generated and most likely stored in this physical location, giving it legal and privacy implications.

Unfortunately, Forrester's conversations with end users and vendors suggest that many organizations simply aren't aware of where their cloud data centers reside. This lack of information can be quite risky when the location of the data center triggers a number of privacy and data security requirements that -- if not met -- may just land you in jail, facing a stiff fine, or at least navigating cumbersome compliance requirements. While cloud can be a catalyst for the IT-to-BT transformation, which I'll talk more about at next month's IT Forum, it can also be the most expensive project your company embarks on if you don't have a solid strategy in place first.

Security responsibility ultimately rests with you, the business -- not the cloud provider. While most IaaS providers strive to secure their public data center cloud environment, they're not likely to take responsibility for data protection and compliance. In fact, they take no responsibility for what you do atop their virtualized infrastructures and services. Infrastructure and operations professionals should expect to have to carry this burden when partnering with a cloud provider.

The mesh of privacy laws might seem daunting, but they can be managed by realizing that they are rules of engagement rather than business prevention tactics. They don't prohibit you from using IaaS cloud computing; these laws simply require you to pay attention to where these clouds are actually located and choose providers that will help you meet your constraints.

In recent research, Forrester identified four best practices to help infrastructure and operations professionals think globally but act locally:

1. Know The Locations Of Your Cloud Provider's Data Centers

You must understand where the cloud service provider will store the personal data of your employees, clients, and other parties. Knowing this is a prerequisite to implementing the required measures that ensure compliance with the laws where you do business (meaning wherever you have clients). These laws often restrict where you store personal or financial data and cross-border flow of data. If the cloud provider conducts any off-site replication or backup of your environment, ensure that those copies also meet your privacy constraints.

2. Stay On Top Of Changes in Search and Seizure Laws

Each country has unique restrictions on, and requirements providing for, law enforcement access to data -- the US and China are among those giving their law enforcement teams the most latitude. Pay attention to information available from the provider about the jurisdictions in which data may be stored and processed, and evaluate any risks resulting from the applicable jurisdictions. Forrester provides an interactive map detailing the laws governing data privacy across various countries here.

3. Use The Location That Makes Sense For The Business

While an important factor, don't let privacy laws dictate how and where you conduct your business. If it makes sense for you to have a presence in the U.S., Europe, and China -- do it. Just be mindful of the laws in those geographies and make sure to deploy your services in a way that will ensure compliance. This may mean setting up a series of hosting relationships (IaaS or other). You may alternatively establish channel relationships with other online providers that can cover these compliancy concerns for you.

4. Maintain The Security Posture Of Your Application And Data

Businesses using public IaaS cloud solutions need to have a strategy to ensure security of OS, applications, and data. This includes keeping up-to-date security mechanisms such as antimalware, eradicating vulnerabilities in your applications, and employing data security measures such as encryption to guard against threats to your data within the cloud. Follow the same security procedures you do for in-house applications, as consistency drives comfort. Enterprises should expect privacy laws to get stricter in the near term, not simpler or more consistent. As technology innovations like cloud computing advance, many countries fear that if they don't require local information storage, companies will build data centers in adjacent countries where more favorable economics exist. Protectionist laws simply accelerate this transition because the country with the tightest laws becomes the most difficult to work with.

James Staten is a Principal Analyst at Forrester Research, where he serves infrastructure and operations professionals. He will be giving a keynote speech at Forrester's 2010 IT Forum in Las Vegas, NV, May 26 - 28.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancebest practice guidecloud computingForrester Research

More about BT AustralasiaForrester Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Staten

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts