CLOUD VS. COMPLIANCE: WHO WINS?
By Garry Sidaway, Global Director of Security Strategy, NTT Com Security
Cloud adoption continues to grow in the finance and banking industry. Organisations of all sizes are quickly realising the benefits of using the cloud and how it can help them become more agile, efficient and competitive.
According to the Cloud Industry Forum, over 75 per cent of UK businesses will be using at least one cloud service formally by the end of 2013, and 80 per cent of current cloud users will have increased their spending in this area.
The cloud doesn’t naturally work well with compliance though. The latter is causing a blow for many IT professionals looking to embrace, or experiment with, the cloud. In a nutshell, compliance in the cloud does not work. Both cultures have entirely different agendas. Ultimately, the cloud seeks to propel a business forward, yet compliance seeks to restrain it.
This restriction is putting businesses off from adopting cloud services, according to a recent research report commissioned by NTT Com Security. It found that, when it came to being compliant, businesses around the globe were wary of the using the cloud. A worrying 86 per cent admitted that issues around data protection, legislation and regulation are responsible for cloud computing being adopted more slowly than they would like.
The growing challenges of legislation, regulation and compliance are all playing their part in this. Businesses only need to look at the latest publicity surrounding the NSA and PRISM revelations and compliance, data sovereignty laws and regulation requirements from authorities like the Information Commissioner’s Office (ICO).
These increasingly complex data laws are becoming something of a minefield for businesses looking to transform the way they operate using the cloud.
We have used compliance to improve business and corporate governance, which is really important given what has happened in the last few years. It has also helped to improve approaches to risk management, enabling businesses to understand what their risks are and what processes and measures they have in place to protect themselves.
- Compliance now needs to look forward and work with businesses and governments. In the age of the cloud, IT professionals are faced with a myriad of laws. They are:
- ICO’s Guidelines: the security responsibility is on the business owning the data, instead of the third party cloud provider. The authority has the ability to fine a company up to £500,000 if it violates the Data Protection Act.
- Data Protection Directive of 1995 (46/ EC) & Internet Privacy Law of 2002 (58/EC): organisations are required to notify data owners if their personal data is being collected, secure data from potential abuses, and only share data with the subject’s consent.
- PCI DSS (Payment Card Industry Data Security Standard): businesses selling online must consider this standard. It states they must protect card data from logical or physical access, and use access controls to separate the duties between administrators and users who access credit card numbers.
The cloud and compliance can get along, but it’s time for them to put aside their differences and for companies to go back to basics.
Many organisations are making assumptions about the skills required to develop, design and deliver secure cloud services. At the moment, too many businesses are trying to apply risk procedures, controls and regulations to a cloud business model that they don’t truly understand.
Old world compliance methodologies are wrongly being applied to new world business models – only for businesses to soon realise that they can’t use the cloud effectively because of compliance. What they need to do instead is better understand the cloud before applying these controls. The same applies for cloud providers, as they need to embed security into their services.
IT professionals that do understand the correct way to merge the cloud and compliance come from a different perspective. Their priority is to encompass good cloud skills first, and those companies hesitant at adopting the cloud should follow suit. Armed with the right knowledge, only then can businesses explore the technology and how it can improve business operation, and apply the necessary controls to manage risk.
Cloud and compliance are not easy bed fellows but they can be seen to work together, meaning businesses win the battle. The key is for good knowledge of security and risk management to be at the top of every organisation’s cloud skills wish list.
About NTT Com Security
NTT Com Security (formerly Integralis) is a global information security and risk management organisation, which delivers a portfolio of managed security, business infrastructure, consulting and technology integration services through its WideAngle brand. NTT Com Security helps organizations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information,