How to proactively manage multi-cloud compliance

Taking action early and often

Imagine you’ve just bought a new car. Feeling thrifty, you decide to forego the regular maintenance – after all, it’s running smoothly right now. What could possibly go wrong? 

But one day, as you’re driving along, smoke suddenly starts pouring out from under the hood. The engine is blown. Now compare the cost of having to buy another car to what you would have paid for regular preventative maintenance. Looking after your first car would have been a lot cheaper.

The same goes for cloud compliance. It’s a lot more cost effective to chip away at compliance from the outset and on a regular basis. If you spot and resolve issues early on, you’re much less likely to face multi-million dollar fines or reputational damage down the track.

Why you need to be proactive

Cloud compliance is continually evolving. For example, if you’re in the healthcare industry, then you need to keep an eye out for updates to HIPAA. This 25-year-old law has undergone notable and significant changes over the years, requiring healthcare organisations to adapt their policies, processes and physical infrastructure to meet the evolving rules. It’s not just HIPAA. Even relative newcomers to the compliance space (here’s looking at you, GDPR) tweak their rules from time to time – and it’s up to you to keep up.

As well as staying abreast of the latest updates to compliance rules and regulations, you also need to keep on top of the changing way that different departments within your business use the cloud. For example, who is storing customer data in the cloud, and which public cloud is that data in? How are you dealing with unstructured data like audio and video files? Who has access to cloud workloads? Without rigorous policies in place – and, without someone continually enforcing them – holes can quickly appear in what was once a watertight compliance model.

1. Document and share your baseline

Every business that uses public cloud needs documented policies in place that acknowledge and respond to any regulations that apply to them. As a starting point, every business in Australia should adhere to the Privacy Act. Many must pay heed to GDPR and NIST. Financial services institutions should also adhere to APRA, ISO 27001 and ISO 9001; retailers to PCI DSS; healthcare companies to HIPAA; and government organisations to IRAP. Take the time to understand these specific rules and regulations, and share them with every person within your organisation who may be affected by them.

Then, starting as early as possible (ideally, before you move workloads to cloud), put those policies into action. For example, asset tagging plays a big role in cloud compliance. You need full visibility and traceability of all your cloud infrastructure components, as well as all the groups, roles and data stores linked to an application. It’s a lot harder to retrofit asset tags to all these things – you’re much better off doing it at the outset. The same goes for everything from architecture design to encryption. Setting up rules early and communicating them to all team members involved in building, designing and managing infrastructure is key to mitigating risks.

2. Use diagnostic tools to automate compliance tasks

Great news for all you time-poor, resource-stretched IT teams. Cloud compliance is a lot more straightforward when you use monitoring tools and technologies to help you stay on track. Using a cloud management software like CloudHealth by VMware allows your team real-time visibility into any misconfigurations based on your compliance policies. With it, you can continuously track compliance scores, as well as any open violations and your progress in resolving them. Platforms like this can help to free up your time to focus on innovation instead of remediation.

3. Add cloud compliance to the to-do list (or engage outside experts)

Too often, cloud compliance gets shelved for someone to look at later. For it to get the continuous attention it deserves, compliance really needs to be written into one of your team member’s job descriptions. Just bear in mind that, depending on the size of your business and the scale of your multi-cloud environment, monitoring and managing systems can be a sizeable task.

If you lack the resources to manage cloud compliance in-house, then consider engaging external support to do the job for you. With multi-million dollar fines at stake, it’s money well spent. Interactive managed services reduce the burden on your IT team by continuously taking care of compliance. We start with an initial audit of your infrastructure layer, identifying high, medium and low priority issues. Given that 100% of the assessments that we perform reveal critical compliance violations, this is a powerful first step. From here, we help you fix the issues that are uncovered and then conduct ongoing checks to ensure that you remain compliant.