Cloud image of complianceCloud compliance has become a daunting topic in the modern enterprise. Traditionally, you owned the servers, you owned the applications, you owned the data — you were in control. However, the rise of Infrastructure-as-a-Service (IaaS) is causing IT departments to chase their tails when it comes to federal regulations. In fact, a recent report on CIO.com showed that 78% of companies did not know who in their enterprise was in charge of cloud compliance. Indeed, the issue is tricky because you are farming some of your accountability to a third-party. However, with some up front planning, knowledge of the laws and the right partner, you can mitigate your risk.

Define Roles and Responsibilities

First, know who is responsible for what. Your IaaS provider is in charge of architecture, redundancy, and maintenance; but typically that is where their role ends. You control the software and the data running on their servers. Thus, the access and authorization model and security settings for your network are your responsibility. Consequently, if you previously owned your own hardware, you can use a similar compliance model you used in-house to achieve cloud compliance. Regardless, it is important to document what rules you need to follow and who is responsible for adhering to them. And always remember, if there is a breach, your enterprise will be liable not your IaaS provider.

Know the Laws

Next, if you are in a regulated industry, cloud compliance is tied to the provisions defined by your regulatory agency. While legislation can be quite complex, the law boils down to one word when it comes to cloud usage — privacy. If you fall under health care or securities and exchange regulation, federal regulators generally want the data stored on servers in the US. Incidentally, this is not a clever way of enforcing your patriotism. The government has some control over US based data farms, which means there is more security. Further, US based servers are subject to US search and seizure law; so unlike some countries, the government can’t take your data without cause.

Find a Trustworthy Provider

Finally, your relationship with your IaaS provider is very intimate. Thus, before you give them the keys to your proverbial apartment, you need to know as much about them as you can.

Transparency is key in these types of transactions, but don’t expect a cloud partner to give you a full tour of their internal workings — and if they do, don’t trust them. A potential IaaS provider is responsible for all of the other companies they are hosting as well. Thus, there are certain types of security testings you will not be able to conduct yourself, such as penetration testing. Be sure to ask how other clients have been assured compliance in the past. Then, ask for referrals from other enterprises. Also, be sure to bring your list of roles and responsibilities so your provider understands your expectations. Above all, trust your gut, if you get a bad feeling while you are talking to a potential provider — run.