This is the third blog of a series that provides the basics of information security in the cloud. In this series, we will provide definitions and best practices for many of the elements that should be considered as part of a cloud security program. In addition to a blog, each topic will also have a short video, providing some additional information on the subject.  The previous blog and video discussed the topic: "What are the Principles of Cloud Security?" In this installment, we will be discussing the topic: "What is Cloud Compliance?"

The IT environments of today’s companies are highly regulated, not only by government regulations, but also by third parties that a company chooses to do business with. Cloud compliance is the area of hybrid cloud security which talks specifically how a company’s cloud infrastructure will be regulated, and some of the differences and similarities between the controls used to regulate on premise systems and the workloads migrated to the cloud.

Cloud compliance covers a whole host of requirements and issues: basically any issues or controls that are currently regulated for on premise systems have an analog in the cloud. There are national data sovereignty requirements to comply with and laws effecting the international storage and movement of data such as the EU Data Protection Directive and USA Patriot Act. There are both global and national regulatory requirements for securing personal health data (HIPAA, HITECH), general privacy (PII, SPI), credit information (PCI), sensitive industry data like ITAR and many, many more.

Companies should take special care when selecting a cloud provider, understanding how the cloud provider will aid in meeting the customer’s compliance controls. Many providers already have very mature programs in place to deal with common standards, and are able to map those standards to customer controls as part of their workload migration and onboarding process. It is critical that an enterprise choose cloud vendors that are able to meet or exceed their security and compliance standards – mapping and assisting in audit and compliance activities should be delineated in contracts and service level agreements before any workload migrations start. With the variety of cloud solutions in the marketplace, a solution exists that will mesh with a company’s compliance concerns, and allow them to maintain the progress in security and compliance maturity they had achieved before migrating to the cloud.

According to a recent 451 Research report, compliance related concerns are the most significant barrier to cloud adoption. Understanding how cloud compliance solutions fit with a company’s overall security vision is a critical component of any cloud infrastructure decisions. Regardless of the vendor an enterprise chooses as their cloud provider, understanding how cloud compliance will be affected and implemented as part of their cloud solution will ensure that security considerations are appropriately addressed.

For the next blog in this series, we will discuss the cloud security topic: "What is Data Sovereignty?" To learn more about hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security. To find the additional parts, please search for Cloud Security 101.