How the Cloud Simplifies Compliance

Compliance-webAs more companies explore cloud as a solution to unstructured data growth, they want to know exactly how their files will be stored and protected. For many companies, this is not simply a matter of curiosity. They need to adhere to industry-specific compliance regulations, and they want to know whether the process of storing files in the cloud will violate or adhere to those standards. While putting your files in a data center run by somebody else may seem like it creates compliance issues, the truth is that adopting cloud storage can actually make it easier to implement and maintain strong security and compliance practices.

Security Doesn’t Necessarily Mean Compliance

In a previous post I explained why your unstructured data is not evaporating into some nebulous entity when you transfer it to a public cloud. Instead, your files are moving to the most secure and advanced data centers in the world. But as any security expert will tell you, a secure system is not necessarily compliant. Nor is a compliant system definitively secure. While there is overlap in practice, they are two different concepts. Ultimately, of course, you want both, and the key to achieving that is not just implementing a strong security strategy, but doing so in such a way that it can be documented, audited, and proven to be in line with the standards governing your industry.

Normally, companies are responsible for putting this into practice themselves, so the concept of moving unstructured data to the cloud can be worrying. Industries often have their own set of compliance regulations, with their own particular spin on what is required, so there can be doubts about whether a cloud meets their specific regulatory needs. For example, the healthcare care industry has to comply with the Health Insurance Portability and Accountability Act (HIPAA), which effectively says you need to have good security practices, but does not stipulate all the requirements in great detail. Companies in the credit card business, however, have to stick to the Payment Card Industry Data Security Standard (PCI DSS), which lays out a long, specific list of rules and practices.

How Cloud Storage Providers Maintain Compliance

These are just two of the best known examples, but there is an enormous list of compliance standards out there tied to independent groups, business organizations, government and regulatory agencies. One standard might call for a firewall, antivirus protection, and good password protection. Another might focus more on vulnerability management and auditing. The cloud storage providers are pretty good at figuring out how to solve large problems efficiently, and what they have done with this complex ecosystem of standards is effectively pool them into a single universal list. This uber-list satisfies an enormous number of international and industry-specific compliance standards. As Microsoft details in its Azure Trust Center, the security of your data can be audited, verified and attested to independently. With Azure, your files will be both secure and compliant with the regulations specific to your industry. Furthermore, Microsoft provides audit reports and compliance packages. You can also request from Microsoft the detailed audit results from third parties.

How Nasuni Strengthens Cloud Storage Security

But there is an important caveat to maintaining cloud storage security. Ultimately, the public clouds are still run by another company. These advanced data centers still reside outside the security perimeter of your offices. That is why Nasuni takes several precautions to ensure that your data remains secure and compliant while it is in transit to the cloud and stored in it. First, Nasuni File Services integrates with Active Directory to maintain your user security practices, access control and permissions. Second, all data is encrypted with customer-controlled keys before it ever leaves the security perimeter of your office, and remains encrypted in the public cloud. That way, only your company can access your files. The cloud provider, Nasuni, even a government agency that subpoenas the cloud – none of them can read those files because you are the only one with the key.

The third step is that we only pick the best public clouds. To ensure the integrity and security of data, we integrate only with well-known, proven, secure, and audited data centers like Microsoft Azure. The success of these clouds depends in part on their ability to adhere to compliance standards and keep business data secure. They have to remain up to date and in line with all of these standards. By working with an established cloud like Azure, and through a cloud-integrated storage solution with a strong security strategy, you are not risking compliance. If anything, the cloud is making compliance easier.