Navigating the Muddied Global Compliance Waters

Cloud computing is global in nature, with the worldwide cloud computing market growing by 25% to $148B in 2016. With key advantages like speed to market and the cost efficiency of storing data around the globe, harnessing the cloud helps organizations compete in the global market. And the public cloud market will only continue to grow. In 2015, worldwide spending on public cloud services was $70 billion. IDC projects that total will double to $141 billion by 2019 as IT modernization continues to be the top driver in cloud adoption. Cloud service providers (CSPs) have answered the global cloud computing demand by maximizing their footprints with data centers all over the world. However, with the continued growth of the worldwide cloud services market, compliance and data protection have become the top cloud security challenges cited by global customers.

As the ability to access and store data across borders becomes a key priority for enterprises, they must take into account the different laws and regulations in the countries where they manage their data. In recent years, we’ve seen this come into play in countries like China, who have legislation requiring businesses store personal data inside the country. Businesses have to respond accordingly or risk severe penalties. For CSPs, this marks an opportunity to establish strategic data centers in a country with new data localization regulations, something we’ve done by being on the ground in China. It also signals a challenge to organizations navigating new compliance laws that accompany the guidelines.

Gartner estimates that since 2013, regulatory bodies have introduced more stringent cloud vendor risk management guidelines, making compliance with regulatory standards more challenging for business leaders Navigating data sovereignty, privacy, and regulatory issues when moving core components of their business to the cloud is one of the main challenges that arises for organizations expanding globally. Take Singapore for example, where financial services institutions (FSIs) have to consider the Monetary Authority of Singapore (MAS) and Technology Risk Management (TRM) notice and guidelines when moving into a cloud environment. MAS TRM is a set of complex guidelines and regulations that have led to a slow start for public cloud adoption in the financial services industry in the country. FSIs have turned to managed services providers to guide them through these complexities, helping to ease the transition to the public cloud, while also providing the secure and highly available environment mandated in Singapore.

Another high-profile example is Brexit and the European Union’s General Data Protection Regulation (GDPR). In May of 2018, the GDPR will become law, giving organizations controlling or processing personal information of any European Union individual a little more than a year to comply. This new set of rules, which are much stricter than those currently in place, will bring new accountability obligations and restrictions on international data flow. Even for companies based in the UK, the GDPR still applies whether Brexit happens or not. For organizations that aren’t taking the right precautions with their customers’ data, it could be a steep climb to become compliant in time – particularly if they try to go it alone.

Cloud computing providers have developed guidelines and certifications to ensure their environments comply with national, regional, and industry-specific requirements around the collection and use of individual data. Keep these considerations in mind when expanding your global cloud presence to help ensure compliance from the start:

  1. Global cloud computing requires a global partner

The key to ensuring your organization’s continued success in maintaining compliance requirements starts with your CSP. Microsoft Azure and Amazon Web Services (AWS) are two of the leading CSPs and both offer comprehensive compliance solutions across industries and many nations. However, in most cases, the business itself will be responsible for obtaining the own certification(s) on top of cloud platform they use. Cloud computing providers should have a list of the compliance standards and security programs that they support and should be able to prove those with audits and certifications.

  1. Where in the world is your data?

It’s also important to identify the data you’re going to move to the cloud. Depending on a multitude of factors, some highly confidential data may have to remain on premise. By determining exactly what data will be stored in the cloud, you can identify which compliance regulations you will need when architecting the environment. Being mindful of the geolocation of your data is critical in navigating data sovereignty and additional regulations that may be applicable.

In some cases, end-to-end encryption of data stored in the cloud can be sufficient for addressing certain data sovereignty requirements. With encryption keys held by either the organization or the CSP it works with, there is a gatekeeper in place to protect data from government authorities seeking controversial “backdoor” access points to data.

  1. Compliance begins with the cloud framework

Compliance starts from the very beginning of your journey to the cloud. It’s critical to consider the enforcement of different requirements and regulations through the design, development, implementation, and testing phases. Developing a Reference Architecture (RA) – a standardized, generic software architecture with no platform dependencies – can help identify where certain compliance requirements should be applied in the system architecture. Using an RA can also account for overlap and commonalties among regulations to avoid duplicate implementations and inconsistencies.

  1. Find your guide for navigating global cloud regulations

Finding a managed cloud services provider who has extensive knowledge and presence in a location can provide you additional guidance. Not only that, it offers the assurance that they have expertise with the compliance requirements and national regulations in place. The right managed services provider will not only ensure that the organization is compliant when architecting its environment, but will assure that cloud security controls are enforced and deployed consistently. Not all managed service providers are created equal, so be mindful of the compliance and security audits and certifications that they hold.

While compliance can be a major hurdle for cloud adoption, working with a global managed CSP, like Datapipe, can help guide your organization through these complex regulations and requirements. The cloud landscape will only continue to grow globally – make these compliance considerations from the beginning and throughout your cloud journey.

Joel brings deep experience in information security, product development and IT management to Rackspace. He is responsible for setting the long-term technical strategy, driving technological innovation around the company’s portfolio, and closing the loop between market demand and product engineering. The New Jersey Technology Council has awarded Joel the distinguished title of 2015 CSO of the Year due to his innovation and creativity in planning and deploying enterprise systems, future IT goals, management philosophy and service to the industry and community. He also holds industry certifications with many of the leading groups including ISC, ISACA, PCI SSC, EC Council and the Cloud Security Alliance. Joel writes about cloud, cloud security and modern technology topics.