Moving to the Cloud: Regulatory Compliance
This post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.
Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers. For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security. And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.
The most common regulations for SMBs relate to consumer (customer) privacy: HIPAA, which protects personal health information, and PCI, which protects personal and credit related information. Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.
The solution: Integrating Solutions.
Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations. Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.
The challenge is to make sure that all of the pieces work together.
- Message Archive/eDisovery: Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
- Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
- Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements
- Third Party Encryption: Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor. In the event of a vendor data breach, the exposed data would be encrypted.
These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements. Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.
And remember, no vendor can ensure compliance. Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.
Next Post in the Series: Internationalization
Previous Post in the Series: Integration with Legacy Systems