Cloud computing is transforming the way businesses operate. While cloud computing reduces the cost and complexity of owning and operating computers and networks, to reap the benefits of cloud computing, companies inherently give up some control over their data.
This is especially true for companies using file storage Software-as-a-Service (SaaS) back-office applications Microsoft Sharepoint and OneDrive, Google Drive, Box, Dropbox and a host of others. However, even though IT teams may not control the endpoint or cloud applications, they are still responsible for protecting their company’s information assets and must ensure their cloud applications are compliant with their IT policies.
EXTERNAL AND INTERNAL COMPLIANCE DRIVERS
The word “compliance” has become a catchword that has different meanings and different goals, often dictated by your role in the organization. External compliance requirements focus on following regulations, standards, and laws imposed by external governments, organizations, and industries. Two examples of notable external regulations are the Health Insurance Portability and Accountability Act (HIPAA) that governs how sensitive patient information must be handled, and the Payment Card Industry’s PCI DSS standard that governs how organizations must store, process, and handle credit card information.
Achieving compliance means that at a given point in time, an audit of your information technology software, processes, and workflows allowed you to conform to a set of rules, such as standards, policies, or laws. External compliance requirements, on their own, do not dictate how information security efforts must be conducted. In contrast, internal compliance focuses on adhering to the standards and best practices embodied in internal policy and managed through corporate governance.
Internal compliance is defined by the organization and focuses on protecting data such as intellectual property, strategic plans, and business records. The drive to secure corporate data seeks many of the same outcomes as maintaining compliance with internal and external policies. However, security specifically focuses on malicious actors, which requires its own specific strategy. As a result, while the efforts to maintaining compliance and ensuring security overlap, they each require individual treatment and one cannot substitute for the other.
THE CLOUD COMPLIANCE JOURNEY
One of the biggest challenges companies face when establishing a compliance program is identifying where to begin. They realize compliance is about properly managing the interactions of people, data, and critical IP, and that they must adhere to federal and state regulations and laws. Unfortunately, few understand that good policies are the foundation of a successful internal compliance program and that it takes time to develop effective policies.
Many also do not realize that the mandates for cloud and on-premises compliance are the same—data is data regardless of where it resides. However, when dealing with SaaS applications in the cloud, companies are not in control of the data environment. This critical factor must be considered when selecting tools to support and enforce compliance and security efforts.
It is important for enterprises to use security measures to help achieve compliance vs. relying upon compliance to drive security.