Deploying critical data and workloads in a cloud environment can drive numerous benefits such as reduced costs and increased time to market on product and services.
When designing a strategy for regulatory compliance in cloud deployments, however, IT leaders must first make some big decisions.
For example, the choice of public, private or hybrid cloud may depend on whether your business is risk tolerant of sharing at the hypervisor level or if it requires dedicated physical servers. Also, how will your compliance strategy affect recovery and business continuity in the event of a disaster?
The CIA triad
To help navigate these decisions, start with the basics. This simple diagram illustrates the three key components to creating an effective strategy for information security.
I call it the “CIA triad.” CIA stands for:
Confidentiality through preventing access by unauthorized users.
Integrity from validating that your data is trustworthy and accurate.
Availability by ensuring data is available when needed.
Technology, procedures and auditing
I recommend a three-pronged approach to designing a compliance strategy that addresses each area of the triad.
The first prong is technology. An effective cloud infrastructure should include controls that enable you to manage user access to the environment, using software-defined architecture such as virtual or host-based firewalls to isolate, segment and protect data. The infrastructure should also help meet availability targets for critical data with service-level agreements (SLAs) that go up to the application layer.
The second prong consists of procedures and processes for successfully implementing this technology. This includes the use of operational plans and metrics to achieve the strategic and organizational goals set forth by management. These procedures should define the roles of each team member and outline security policies to help ensure the confidentiality of the data.
Once your infrastructure and procedures are in place, it’s a good idea to work with a third party who can audit your environment and policies. This auditing process should help determine what control framework will be used and an approach to validating successful implementation. A qualified auditor can also identify compliance practices that align with the core business. For example, if e-retail is a core business function, then Payment Card Industry (PCI) standards should be considered.
Compliance on IBM Cloud session at Think 2018
At Think 2018, I will host a Think Tank session to dive deeper into these topics, discussing how IBM Cloud can help businesses meet industry and regulatory compliance requirements such as PCI, FEDRAMP and HIPAA.
Along with Barbara Davis, offering manager for managed hosting and application services, I will highlight ways to deploy SAP data and applications more efficiently in a managed cloud environment. To join our conversation, go to the Think 2018 website to register for the event and enroll in the session.
Learn more about Cloud Managed Application Services.
The post 3 key ideas to help drive compliance in the cloud appeared first on Cloud computing news.
Quelle: Thoughts on Cloud
Published by