How to stay on track with multi-cloud compliance
Use this guide of the best practices and recommendations for mitigating the risk of non-compliance within your business.
Why does cloud governance matter, anyway?
Last year, in the scramble to keep employees connected while everyone worked from home, businesses moved workloads to the cloud at a remarkable rate.
Now, those who intend to keep these workloads in the cloud need to address the elephant in the room – namely, their ability to toe the compliance line.
When it comes to cloud, the rules around protecting customer data are constantly evolving – it’s almost a full-time job just keeping up with all the legal jargon, let alone deciphering all the acronyms. APRA, ISO 27001, ISO 9001, PCI DSS, HIPAA, IRAP, GDPR, NIST … the list goes on. Working out which of these regulatory frameworks applies to your business and then ensuring that your cloud environments comply is hard, ongoing work.
But it’s worth it. Non-compliance can break a business. The risks of doing nothing or not enough far outweigh the cost and effort of keeping up with compliance. Look at Google – it copped a $43 million USD fine for violating a few GDPR rules in 2019. While only small change for the tech giant, it was still nothing to be sneezed at. Then there was the Equifax data breach of 2017, which – due to mismanagement and poor governance following a data breach – resulted in a staggering $1.4 billion USD in settlement fees. It’s why cloud governance is shaping up to be one of the biggest issues on the tech agenda this year.
Public cloud providers can only do so much
Public cloud providers have iron-clad security and compliance credentials. But when it comes to protecting customer data and sticking to the rules and regulations for your industry, the buck ultimately stops with you.
As an example, the AWS Shared Responsibility Model clearly states that while AWS is responsible for the security of the cloud, it’s up to every business using that cloud to take care of things within it, such as customer data, identity and access management, patches and firewalls. Thinking that the public cloud provider will look after compliance is both misguided and risky.
Be successful with your multi-cloud compliance
Even though IT leaders know they need to do something about cloud compliance, it often gets shelved due to competing priorities or a lack of resources. It is highly likely that your team may be flat out focusing on other projects – like customer experience, remote working as the new normal and app development. With resources already stretched, many businesses simply don’t have the budget, time or inclination to train someone up on the specifics of cloud compliance.
You know you need to do something – the question is, what?
Acknowledging that something needs to be done about cloud compliance is a great first step. Putting it on the agenda – and keeping it there – makes it more likely that someone will take ownership of the task. Even if that person determines the job is bigger than what’s possible in-house, at least they’ve worked it out and you can allocate budget towards outsourcing the task.
If you’re tackling it yourself, the next step is to identify all the rules and regulations that your business must comply with. You’ll also need visibility into your existing cloud environments, as you need to know where all your data resides, how assets in the cloud work together, and so on. Using a cloud management tool like CloudHealth by VMware automates this process for you, giving you an up-to-the-minute inventory of your cloud assets. Then, armed with all this information, you can create and communicate cloud protocols to relevant teams, and monitor cloud environments to ensure the rules are being followed.
Although automation tools can assist you, keeping up with compliance requires a specific combination of experience, people and processes. If one of these ingredients is missing, the process will fall flat.
How we help
Given the complexity and time required, many businesses turn to outside experts – allowing your time to focus on more engaging tasks (we know compliance isn’t the most fun!).
Interactive Managed Services reduces the burden on your IT team by continuously taking care of compliance. With decades of experience managing compliance for our clients, we know the rules (and all those acronyms) and what they mean to your business. We start with an initial audit of your infrastructure layer, identifying high, medium and low priority issues. Given that 100% of the assessments that we perform reveal critical compliance violations, this is a powerful first step. From here, we help you fix the issues that are uncovered and then conduct ongoing checks to ensure that you remain compliant.
