Compliance in the cloud

Organizations often think they have to make a trade-off between broad data access and governance, particularly when it comes to regulations and policies around data privacy. But in reality, data governance can help users of that data—including customers and employees—more easily access the right data when they need it.

This approach requires enhancing traditional governance models with collaborative best practices and tools to ensure the consistent application of policies across all users, data stores, and infrastructure to abide by the appropriate data mandates.

Shared responsibility for security

Because cloud services involve infrastructure that the enterprise doesn’t own and manage, many organizations share responsibility with cloud service providers for access control.

The provider takes care of updating and controlling access to the components it administers, including host operating system, virtualization software, hardware, and facilities. Enterprise IT teams, in turn, retain responsibility for updating, patching, and controlling access to the components it layers on top of the cloud infrastructure—applications, “guest” operating systems, and security software. This responsibility includes configuring any firewall services provided by the cloud operator that the enterprise uses for policy enforcement.

AWS describes this partnership as the cloud provider having responsibility for security “of” the cloud, while the enterprise controls and manages access to its own resources “in” the cloud.

Compliance tools

Tools and cloud services that help enterprises with compliance are becoming widely available. For example, AWS Lake Formation provides a data catalog that automatically discovers, tags, and catalogs data across the AWS cloud environment. It provides an easy way to centrally define and manage security, governance, and auditing policies all in one place.

For multinational enterprises, regulations vary from country to country. So global organizations often must comply with multiple, sometimes conflicting, standards concurrently. This can be particularly challenging in the virtualized public cloud world, because providers may dynamically move your data to wherever they have resources available. Without proper controls, that could mean crossing geographical boundaries and possibly bringing you out of compliance unawares.

However, most providers have a service option that restricts the geographic distribution of your content. For example, the Amazon CloudFront content distribution service offers a geo-restriction option that allows users to access your content only if they’re in one of the countries on an approved whitelist.

Another tool, AWS Config, is an AWS managed service you can use to monitor security and compliance of your AWS cloud environment. It delivers an AWS resource inventory, configuration history, and configuration change notifications, so you can discover existing and deleted AWS resources and benchmark your overall compliance against relevant rules.

Enterprises can also procure compliance management software that ships with compliance policies and will evaluate your cloud infrastructure against best practices laid out by the cloud providers you use. Those powered by AI can organize the files that are relevant to an enterprise’s adherence to current compliance standards.

Best practices

IT governance and compliance professionals should create a framework for maintaining up-to-date digital compliance standards. Recommended steps include:

> Create and maintain a compliance database. This allows you to map out digital compliance standards by country. Set up a process for regularly updating the database, given that policies and mandates are frequently updated and new ones might be introduced. This step creates a clear, active structure for compliance.

> Deploy checks and balances. It’s best if the team that conducts compliance checks is not the team responsible for remediating them.

> Measure and report key performance indicators (KPIs). These are likely to include the number of high, medium, and low compliance violations that occur, how long it takes for a violation to be remediated, and the number of policies you’re maintaining.

Compliance with government, regulatory, and internal policies is critical to any data-driven organization. It not only helps you avoid what can be significant fines and penalties for violations, but it ensures that your organization is operating according to the core values and best practices established to optimize the value of data across the business.

Learn more about ways to reinvent your business with data.