Maintaining Compliance in an Age of Cloud Globalization 

Cloud computing is global in nature, and that means compliance and data protection must be, too. 

The worldwide cloud computing market is expected to reach $160 billion in 2018, a 23 percent increase over 2017, according to IDC projections. With key advantages like speed to market and cost efficiency of storing data around the globe, harnessing the cloud helps organizations compete in the global market.  

 As organizations continue to access and store data across borders, they have become increasingly concerned about challenges like global compliance and data protection, as they must consider the unique laws and regulations in the countries where they manage their data. For example, the European Union recently updated the General Data Protection Regulations, or GDPR, a set of rules to regulate the personal data and privacy of EU citizens. Previously, the GDPR only applied to organizations with a presence in the EU, but the updated guidelines extend to all organizations who process the personal data of EU residents, regardless of whether they have a presence in the EU or not.  

Companies that process data in the EU now have to consider GDPR regulations in order to remain compliant. According to a recent report by the International Association of Privacy Professionals, 16 percent of U.S. organizations and 16 percent of EU organizations surveyed do not feel prepared for the upcoming GDPR changes and expect to be fined when the new regulations go into effect.  

To ensure your organization is prepared, it’s important to consider the following when expanding your global cloud presence to help ensure compliance from the start. 

The importance of a global partner 

The key to ensuring your organization’s continued success in maintaining compliance with global security requirements starts with your cloud service provider, or CSP. Cloud service providers have answered the global cloud computing demand by maximizing their footprints with data centers all over the world. The new GDPR regulations mark an opportunity for CSPs to establish data centers in countries with new data localization regulations. It also signals a challenge to organizations which must navigate the new compliance laws that accompany the guidelines.  

Microsoft Azure and Amazon Web Services are two of the leading public cloud providers, and both offer comprehensive compliance solutions across multiple countries and industries. Cloud service providers have developed guidelines and certifications to ensure their environments comply with national, regional and industry-specific requirements around the collection and use of individual data. They should have a list of the compliance standards and security programs they support and should be able to prove those with audits and certifications.

However, in most cases, the organization itself will be responsible for obtaining its own compliance certifications.  

Do you know where your data is?  

It’s also important to identify the data you’re going to move to the cloud. Depending on a multitude of factors, some highly confidential data may have to remain on premise. By determining exactly what data will be stored in the cloud, you can identify which regulations you will need to consider when architecting the environment. Being mindful of the geolocation of your data is critical in navigating regulations around data sovereignty and more.  

In some cases, end-to-end encryption of data stored in the cloud can be sufficient for addressing certain data sovereignty requirements. With encryption keys — held by either the organization or the cloud provider it works with — there is a gatekeeper in place to protect data from government authorities seeking controversial “backdoor” access points to data.  

Cloud framework and compliance 

It’s critical to consider compliance through the design, development, implementation and testing phases of your journey to the cloud. Developing a reference architecture — a standardized, generic software architecture with no platform dependencies — can help identify where certain compliance requirements should be applied in the system architecture. Using an reference architecture can also account for overlap and commonalities among regulations to avoid duplicate implementations and inconsistencies.  

Find a guide 

Finding a global managed cloud service provider, or MSP, with extensive regulatory knowledge offers the assurance of a guide familiar with the compliance requirements and regulations for a specific country. The right managed service provider will not only ensure that your organization is compliant when architecting your environment, but it will also ensure that cloud security controls are enforced and deployed consistently. Not all managed cloud service providers are created equal, so be mindful of the compliance and security audits and certifications they hold.  

While compliance can be a major hurdle for cloud adoption, working with a managed service provider like Rackspace can help guide your organization through these complex regulations and requirements. The global cloud landscape will only continue to become more complex, so it’s critical to have a partner who can navigate compliance considerations from throughout your entire cloud journey.   

Brian Kelly is Chief Security Officer at Rackspace, responsible for protecting the company and its customers from the constantly-evolving risks and threats that exist in the IT world, as well as focusing on the physical security of Rackspace facilities. He has more than 35 years of experience, beginning in the United States Air Force, where he rose to the rank of Lieutenant Colonel.