In this Help Net Security interview, Bill Tolson, VP of Global Compliance and eDiscovery at Archive360, talks about the importance of cloud compliance and what companies can do meet the requirements when shifting to the cloud.
As organizations accelerate their shift to the cloud, they face many challenges. Compliance is one of them. Why is this the case?
As every compliance professional knows, compliance isn’t one thing—in every environment, there are multiple layers of complexity, with different and even competing mandates. It was hard enough with on-premises storage; the fact that so much data, and the operations that use them, have moved to cloud architectures makes these arrangements even more byzantine.
Consider a financial services enterprise evaluating specific requirements on the storage of restricted data in the public cloud. Corporations in this vertical face strict challenges from just about every corner. There’s the Securities and Exchange Commission itself, the Sarbanes-Oxley Act of 2002, and even new mandates such as the Anti-Money Laundering Act (AMLA) that went into effect at the beginning of this year. Meanwhile, there are mandates governing data privacy, such as Europe’s GDPR and California’s CCPA (soon to be superseded by CPRA), surely with more on the way at both the state and federal levels.
And through all of this, there’s the overlap with security. The omnipresent threat of breaches, ransomware and other nightmares drastically affects the ability to ensure full compliance. And when things go wrong in this area, they cause damage not only to mandates but also the brand and the bottom line.
Many cloud platforms are available across multiple geographies. Because of this, companies must be keenly aware of where the data generated in particular countries is actually stored. Some nations have ‘data sovereignty’ laws that stipulate how data generated within its borders must physically remain inside that sovereign territory. This means companies must select cloud platforms with data centers within those nations’ boundaries.
What could be the pitfalls of not aligning the cloud with compliance?
In today’s environment, falling out of compliance can spell doom.
For example, authorities in Europe can impose extremely harsh penalties for falling out of compliance with GDPR. Amazon’s 2021 earnings report, which came out this summer, revealed that the company has paid out a staggering $877 million in fines—and we still don’t know what exactly the violations were, though it’s rumored they had something to do with cookies consent.
In the U.S., the consequences can be similarly catastrophic. Several states have passed privacy/security regulations in the last couple of years, including California, Colorado, and Virginia. For example, California passed the CCPA (and later the CPRA) to protect its residents’ personally identifiable information (PII) from misuse, theft, and extortion. CCPA is unique in that it presumes actual damages if a breach occurs and their PII was potentially accessed. In other words, the state does not need to wait to see if the PII was criminally exploited; the mere fact that a breach occurred is enough to demand damages from the company that held the data.
Companies running afoul of state data privacy laws can also experience lost business, removal from accredited vendor lists, and loss of shareholder equity. Eventually, it can even trigger C-level job loss.
What industries are more at risk of cloud compliance issues and why?
There’s no question that some industries are more regulated than others. The financial services mandates mentioned above are a perfect example, but there are certainly others. For example, the US healthcare industry has long had HIPAA looming over it, but industry professionals in other markets must remain vigilant about mandates related to the Digital lnformation Security in Healthcare Act (DISHA) in India, the Patient Data Act in Europe, etc. Corporations in energy, retail, transportation, communications and many more all function under strict regulations.
In a broader sense, we are in an unprecedented era of focus on data privacy. That’s primarily due to dramatically rising cybercrime, including email phishing, ransomware, and even its newest incarnation, extortionware.
To be clear, the focus on data privacy, along with the massive fines and penalties is a good thing. This increased risk and associated focus by cybercriminals is rapidly forcing cybersecurity insurance premiums out of range for smaller and mid-sized businesses. There’s more data coming in—from existing and emerging sources, through many channels and in many formats, most of them unstructured—than ever before, and it provides the foundation for significant intelligence to guide business initiatives. That data will reside in, and move between, many different types of cloud arrangements, even as new regulations keep emerging.
That makes for a complex environment of data sovereignty laws, timeframes for holding on to data, tracking data collection consent, and how that data is used. Additionally, most of these new privacy regulations have strict requirements around data gathering, reporting, usage, sale of specific information, granting access to third parties, etc. Companies must have the ability to respond to a rising number of individual data subject access requests (DSAR), and if required, delete all instances of a particular subject’s data, quickly (the right to be forgotten). Organizations must also be able to track individual PII to a data subject’s consent, location and length of time it has been held.
How can an organization meet compliance requirements when running operations in the cloud? Is this a difficult task, and if yes, why?
The ‘cloud’ in the broadest sense offers massive benefits to every industry, with advantages ranging from CapEx versus OpEx considerations, total cost of ownership, the benefits of “economies of scale” in cloud computing as well as the ability to dynamically scale up and down when unforeseen workloads are encountered. But as with every new discipline, there are always challenges, and compliance is big one.
One problem is that when corporations say they’re running operations in the cloud, they really mean that they’re using specialized applications in the cloud, typically from different SaaS providers. Some of these services are surely secure and reliable, but some are. . .definitely not.
To start with, many of these offerings were developed for on-premise use, then migrated to the cloud. Among other problems, many lack industry-specific compliance capabilities, at a time when the number of relevant regulations keeps rising, and must be heeded in all business initiatives. They also don’t have the agility to quickly ward off emerging dangers and a constantly evolving threat matrix. Size and scale are also major factors—larger companies migrate petabytes of data to the cloud, and not all of it is of equal sensitivity or importance. Meanwhile, third-party SaaS providers often rely on shared network infrastructures and resources in public clouds; in some cases, they even reuse and share network security certificates.
All of this stretches the boundaries of some key questions: Who has ultimate responsibility for cloud platform security, and how is it possible to ensure that all cloud-based data and operations are in compliance with existing mandates?
What does it mean to build a different cloud? Is this a definite solution to the problem?
There is a better option, and it essentially makes for a different cloud. This approach entails customizable software inside an isolated environment—zero-trust network security, data security, encryption key management and storage, scalability, storage accounts, access controls, auditing and reporting and more, all configured to meet specific needs. It offers a unique level of isolation that enables each company to deploy the solution within its own dedicated infrastructure. There are no shared network resources, and definitely no shared secrets.
There’s greater flexibility to ensure a customer-specific deployment, a dedicated cloud tenant and specialized software. It’s still the cloud, for sure, but it’s nothing like the ‘the cloud.’
This approach takes advantage of a major cloud platform’s economies of scale while providing what amounts to a private cloud platform. For this solution, the client takes on a little more responsibility around platform management and security over that of the one-size-fits-all SaaS offerings, but in today’s (and tomorrow’s) cyber-threat environment, more control is exactly what organizations are looking for.