Three key ideas to drive compliance in the cloud
Deploying critical data and workloads in a cloud environment can drive numerous benefits, including reduced costs and improved time to market on product and services. When designing a strategy for regulatory compliance in cloud deployments, however, IT leaders must first make some big decisions.
For example, the choice of public, private or hybrid cloud may depend on whether your business is risk-tolerant of sharing at the hypervisor level or if it requires dedicated physical servers. You must also consider how your strategy will affect recovery and business continuity in the event of a disaster.
The CIA triad
To help navigate these decisions, start with the basics. The “CIA triad” illustrates the three key components to creating an effective strategy for information security. CIA stands for:
- Confidentiality through preventing access by unauthorized users.
- Integrity from validating that your data is trustworthy and accurate.
- Availability by ensuring data is available when needed.
Technology, procedures and auditing
I recommend a three-pronged approach to designing a compliance strategy that addresses each area of the triad. The first prong is technology. An effective cloud infrastructure should include controls that enable you to manage user access to the environment, using software-defined architecture such as virtual or host-based firewalls to isolate, segment and protect data. The infrastructure should also help meet availability targets for critical data with service-level agreements (SLAs) that go up to the application layer.
The second prong consists of procedures and processes for successfully implementing this technology. This includes the use of operational plans and metrics to achieve the strategic and organizational goals set forth by management. These procedures should define the roles of each team member and outline security policies to help ensure the confidentiality of the data.
Once your infrastructure and procedures are in place, it’s a good idea to work with a third party that can audit your environment and policies. This auditing process should help determine what control framework to use. A qualified auditor can also identify compliance practices that align with the core business. For example, if online retail is a core business function, then Payment Card Industry (PCI) standards should be considered.
Compliance on IBM Cloud session at Think 2018
At Think 2018, I’ll be hosting a Think Tank session to dive deeper into these topics, discussing how IBM Cloud can help businesses meet industry and regulatory compliance requirements such as PCI, FEDRAMP and HIPAA. Along with Barbara Davis, offering manager for managed hosting and application services, I’ll highlight ways to deploy SAP data and applications more efficiently in a managed cloud environment.