MSP Today Expert Feature
February 20, 2013

Compliance in the Cloud Can Be Achieved with a Secure Infrastructure

As regulated industries such as healthcare, government and financial move to the cloud, there are strict security policies that must be taken into consideration to ensure compliance standards are met.

Regulatory mandates including the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) for government contractors and the Payment Card Industry Data Security Standard (PCI (News - Alert) DSS) for businesses that process credit transactions, all have one common objective: implementation and enforcement of policies, according to Len Whitten, director of cloud services product management at SunGard Availability Services.

The Wayne, Pa.-based company provides disaster recovery services, managed IT services, information availability consulting services and business continuity management software.

Using the cloud complicates governance and compliance – and if not done properly it can result in hefty government fine, Whitten said. Achieving compliance in the cloud involves setting up the proper framework, with the cloud service provider’s physical infrastructure acting as the foundation.

With a secure infrastructure in place, an organization can migrate services to the cloud with minimal compliance risk.

“Most compliance standards that govern how an IT infrastructure is managed weren’t designed with the cloud in mind,” Whitten explained in an interview with TMCnet. “So when these highly-regulated industries look at adopting such cloud services to achieve better scalability and lower IT costs, they confront a myriad of questions about compliance.”

Achieving compliance in the cloud requires a multi-level, holistic approach, he said. The company or its service provider needs to focus on implementing supporting controls, and these controls are security related as well as process related.

“While we don’t approach each industry differently, every subset – the people, processes, physical and logical security – all need to be taken into consideration. This includes platform security (e.g. how is the cloud architected?), data protection and data center security (physical security),” Whitten said.

By most accounts, the number-one concern with regard to the public cloud is security, not regulatory compliance. Loss of control is the second concern, according to SunGard.

“Regulatory compliance and security is really about overall data protection. Customers in regulated industries have to be very, very specific about making sure they understand the cloud architecture and how it affects their regulations compliance,” Whitten said. “Regulatory compliance mandates are definitely a roadblock, and have even caused some companies to avoid migrating to the cloud.”

Such companies are realizing that public cloud is just too risky in some instances, and SunGard is seeing customers turn to private could solutions.  

SunGard Availability Services offers a suite of security services such as log and threat management, firewalling and host and network intrusion detection.

There are other pieces of “cloud security” that fit into the broader picture, including platform security, data security and data center security, which are all services SunGard offers to customers as well.

There isn’t one regulated industry that’s moving faster than others, and a lot of companies in these industries aren’t jumping in fully yet. However, they might be moving toward cloud for specific cases, e.g. test development, Whitten explained.

“The reality is that many customers have already invested in regulatory compliance applications and have such applications in place. We’re seeing companies run into issues where they can’t move their legacy technology to the cloud,” he added. “Overall, we’re predicting we will see a lot of hybrid environments for the next two to five years. We’re also seeing highly-regulated industries turn to private cloud solutions instead of public cloud, given all of the security issues surrounding public cloud.”

Edited by Braden Becker