HIPAA, PCI DSS, ISO, FISMA, and NIST- these acronyms are enough to strike fear into the hearts of IT professionals around the country. Countless organizations must comply with these standards, even when they are working with third-party technology providers. Here's a quick rundown on what they cover:
- HIPAA: The Healthcare Industry Privacy and Accountability Act sets out details for secure handling of patient medical data to ensure privacy. Major focal points include maintaining data security, ensuring information is accessible at all times (ensuring data availability in an emergency) and safeguarding personally identifiable information, such as during research or community care initiatives.
- PCI DSS: The Payment Card Industry Data Security Standards focus on keeping credit- and debit-card data, and personal information about consumers who own those cards, safe. This also includes regulations around fraud prevention.
- ISO: The International Organizations for Standardization has established ISO regulations to build out best practices that can ensure high levels of security in just about any IT environment.
- FISMA: The Federal Information Security Modernization Act is a regulatory framework focused on not only setting standards for protecting government data but also creating guidelines around reporting data breaches.
- NIST 800-171: These requirements provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components with mandatory compliance looming.
Cloud computing creates unique solutions as organizations ensure compliance across both internal and third-party technology environments that are highly virtualized and automated. Three issues that must be considered when trying to ensure compliance in cloud environments include:
1. Don't take certifications at face value
Cloud providers can often showcase certifications for different regulatory standards. Cloud services vary, even on a single provider. Make sure to confirm that the certification covers the specific services that you are purchasing.
2. Understand your responsibilities
Regulatory standards don't just govern how data is stored and managed, they also have stipulations pertaining to how information is handled on a day-to-day basis. As such, gaining a clear understanding of what you need to do compared to what the cloud vendor handles is essential. Many providers ensure that their architecture is compliant, but don't handle the Operating System or application level, other providers will manage the entire stack. Make sure you know who is handling what components of your solution.
3. Understand your data workloads
A study performed by Enterprise Management Associates found that 96 percent of security professionals claim their organizations have compliance-sensitive data in the cloud, but just 69 percent of IT pros said the same. Make sure your teams understand what data falls under regulatory requirements and that they know how to respond.
Unpacking the nuances of compliance in the cloud demands a high level of visibility into vendor processes, something that can be hard to navigate if you don’t do it every day. For this very reason, ARG has a cloud technology advisor on staff who is constantly researching each provider’s offering. ARG can go beyond helping you find services and make certain that the partnerships you establish ensure regulatory compliance. Whether you are a government integrator looking for a partner who understands compliance in the federal space, a healthcare provider or a financial institution, we can help you navigate the options to quickly identify the right providers who understand the specific compliance requirements and make sure that your organization is protected.