Skip to main content

Compliance implications of cloud and data mobility

(Image credit: Image Credit: Docstockmedia / Shutterstock)

Hybrid cloud and multi-cloud architectures enable the movement of workloads and data from on-premises to public cloud and even between multiple public clouds. A recent survey from 451 Research indicates that 69 per cent of organisations plan to have some form of hybrid or multi-cloud environment by 2019. These architectures are very attractive to enterprises of all sizes, providing business agility and freedom from vendor lock-in, however they also create implications for data sovereignty and requirements to adhere to compliance standards such as GDPR (General Data Protection Regulation) in the European Union, HIPAA (Health Insurance Portability and Accountability Act) in the United States, and others. With GDPR, lack of total compliance is no longer an option as any organisation that fails to meet regulations could be fined €20 million or 4 per cent of annual global turnover, whichever is higher.

When considering hybrid cloud and multi-cloud storage architectures, most people will immediately think of the leading services such as Amazon S3, Microsoft Azure Blob Storage, and Google Cloud Storage which have long offered cloud storage of different tiers including hot, warm and cold/archive and redundancy levels for example single region, geo-distributed or replicated, etc. On top of these data storage services, the hyper-scale cloud providers have been rapidly developing value-added data management services for analytics, business intelligence, metadata creation, indexing, artificial intelligence and more. Additionally, newer cloud storage services offering compelling alternatives to the hyper-scalers at lower costs and/or increased speeds have entered the market. The breadth and depth of these cloud storage and cloud data management services present very enticing solutions for many of the data challenges faced by today’s enterprises, from data recovery to big data analytics.

However, when considering this myriad of cloud-based services, enterprises are asking questions such as:

  • Where will be our data be stored?
  • Is the location of our data impacted by data sovereignty?
  • Is any of our data required to be compliant with regulations such as GDPR and HIPPA?
  • How do we maintain visibility and control over our data even as we leverage cloud services that extend beyond our on-premises infrastructures?

Ensuring compliance in the multi-cloud

Under GDPR ruling, the standardised data protection laws to control personal information across EU countries that came into force in May 2018, data must be stored and maintained within specific countries and locations of origin, and not allowed to flow to storage locations outside of those boundaries. Many cloud providers have put in place compliance certifications to ensure data sovereignty (that data is stored at the point of origin), and, where possible, organisations should agree service level agreements (SLAs) with their cloud providers before entering into contracts.

There are also data retention and “forget” requirements: although the technology exists to preserve data for longer periods of time, GDPR enforces the deleting of some personally identifiable data, unless the business can prove it is required.

When it comes to compliance of data management and storage in multi-cloud environments, there are some key guidelines to consider:

1. Regulations clarity – as a starting point, organisations should create a clear picture of the data they are storing in the cloud. These end users should pay close attention to the SLAs that cloud vendors are offering, particularly geographic affinity and location. With this in mind, policies can be created to guard against unapproved use of public cloud storage. Indeed, shadow IT, or the use of IT systems without the consent or knowledge of the IT department, poses one of the most significant risks to not only an organisation's security levels but also its compliance with GDPR and other regulations.

By enforcing policies and standards across cloud providers and on-premises private cloud deployments, end users can ensure they meet business and financial requirements; being then empowered to determine when and why various cloud providers can be used.

2. Encryption in the cloud a simple rule of thumb is that data should not be stored in the cloud unless it is encrypted, in particular, Personal Identifiable Information (PII), or any data that could potentially identify a specific individual, as legislated by GDPR. Under this ruling, organisations must ensure the security and confidentiality of customer information and records, and take steps to protect against any unauthorised access or threats to the integrity of that data. Best practice when it comes to encryption is to encrypt data both at-rest and in flight and to use user-managed encryption keys.

3. Create best practices for security auditing or access control – whether data resides in public or private cloud, organisations should be prepared for security breaches. They must be able to determine not only who accessed the cloud, but also when and what they accessed. Cloud vendors should make it a priority to provide evidence to customers that they will have the assurance of adequate visibility, transparency and control over their public cloud infrastructure, as well as full details as to the security measures in place.

4. Consider a data management platform that enables sophisticated data classification and/or includes robust metadata features – the many rules and regulations described in this article require that new and existing data be continuously vetted to ensure it remains in compliance. Global organisations typically operate across numerous locations with hundreds, potentially even thousands, of data creation and editing points: users and IT departments need to be able to quickly search, move, delete data across all these locations to ensure that data meets the demands of an evolving compliance landscape. Data classification and metadata features offered by data management platforms provide the ability to implement business policies that will help ensure data at scale can keep up with the potential complexities of data management and compliance.

A hybrid or multi-cloud strategy is very attractive to enterprises dealing with explosive data growth and an increasing dependence on that data. Yet these architectures can easily become complicated and out of control without careful management or the deployment of purpose-built data management solutions. By adopting the measures outlined in this article such as data encryption, IT teams can ensure they have full control of their data and knowledge of where their information resigned, not only for business agility and airtight security but also in order to meet today's strict compliance regulations.

Wally MacDermid, VP of Cloud, Scality
Image Credit: Docstockmedia / Shutterstock