Why compliance isn’t just your problem anymore

This week we launched our latest white paper, "Sharing the Governance Burden: Getting Compliant in the Cloud" which outlines the changes in responsibility that compliance within a cloud environment brings.

The paper, written by consultant Colin Bycroft, sets out to dispel the myth that just because you are pushing your IT systems to an external service provider, you forgo all of your regulatory duties to said provider. This simply isn't true, and it's important for both parties to understand their role within the process.

Compliance isn't by any means a new concept, but a move into cloud services obviously opens up a whole new set of security risks and potential points for failure. Organisations shouldn't expect their Cloud Service Provider (CSP) to be fully accountable for the implementation of compliance procedures, but they should appreciate the advantages they can bring in easing the compliance headache. We find that our best relationships with customers are formed when clear foundations are laid from the start, in terms of communication and creating a collaborative process.

Where the line of responsibility is drawn between you and your CSP depends largely on the nature of the data you are handling and the consequent standards you must work to. PCI-DSS compliance, for example, requires very specific things from a cloud service provider and actually removes a lot of the responsibilities from the customer of the service. Other governance standards, however, are far more complex and require you to play a much larger role in understanding and identifying the specific risks and processes that need to be moderated. No one understands your business, your data or your customers better than you do - putting you in the best position to make the call on suitable retention rates and SLAs.

ISO 27001 is a perfect example of how a balanced relationship between a business and CSP is essential in regulating business processes. ISO 27001 requires an organisation's senior management team to determine which controls are appropriate to their business and how they should be implemented, as well as undergoing regular assessments and compliance reviews. For the majority of risks to be offset from the customer to the CSP, the provider must also become ISO 27001 certificated, undergoing the full process as outlined previously. If the CSP fails to do this, there is a significantly higher threat to security and thorough and regular audits should take place, putting an unnecessary burden on an organisation's resources.

Colin makes no claim that the compliance process is an easy one, even in a cloud environment: "Essentially, every business has its own specific governance standards it needs to comply with. These processes can be time-consuming and they require continued review.  Working with a knowledgeable and experienced CSP can alleviate a lot of the stress involved by transferring certain responsibilities from the business to the service provider, so long as responsibilities are clearly and concisely defined. Successful compliance is all about a collaborative relationship between you and your cloud service provider."