Thomas Trappler was recently named a "Cloud Luminary" by CA Technologies, along with Vivek Kundra, Nicholas Carr, Timothy Chou and others. Computerworld congratulates him for receiving this honor.
Cloud computing: You can't outsource your compliance obligations
Even if your cloud provider is at fault should your company fall out of compliance, the law will come after you.
Computerworld - When it comes to moving functions to the cloud, there's no such thing as being too thorough.
Say you've got an application that's been running in-house but is now nearing end of life. You find a cloud service that can achieve the same result. You evaluate the vendor's infrastructure and security mechanisms, processes and procedures and determine that they're sufficient to meet your needs. You're looking forward to outsourcing this to the cloud and relieving yourself of all the associated responsibilities. It's all smooth sailing ahead, right?
Maybe, but unfortunately, there's one more thing: You can't outsource your compliance obligations to a cloud vendor.
If you move a function to the cloud that's governed by legal or regulatory requirements and later your company falls out of compliance due to an error on the cloud vendor's part, the law won't go after the vendor - it will come after you. So you need to ensure that the cloud vendor can fully comply on your behalf.
What kinds of laws might apply in a cloud scenario? Two recent clients of my "Contracting for Cloud Computing Services" seminar offer good examples.
The first is in the healthcare industry and was contemplating using a cloud service that would involve personal health information. Of course, such information is covered by the Health Insurance Portability and Accountability Act (HIPAA), which mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data. Under HIPAA, the use of a cloud service is viewed as disclosing information to a third party. Any cloud vendor that handles your organization's HIPAA information should be subject to a business associates contract, under which the vendor essentially affirms that it will handle the data in compliance with HIPAA.
The other client, an institution of higher education, was investigating using a cloud service for a function involving student data. In such cases, the applicable regulation is the Family Educational Rights and Privacy Act (FERPA). FERPA is intended to protect the privacy of student education records by limiting how and to whom they can be disclosed. Under FERPA, the use of a cloud vendor can also be viewed as inappropriately disclosing information to a third party. One solution is to contractually identify the cloud vendor as a "school official" and state its obligation to ensure that data is handled in compliance with FERPA.
Other laws or external regulations that frequently come into play with the cloud include:
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Maximize Strategic Flexibility by Building an Open Hybrid Cloud Choosing how to build a cloud is the biggest strategic decision IT leaders will make this decade. It determines their organizational competitiveness, flexibility,...
- ESG: The IBM FlashSystem 840: Technical Evolution to Deliver Business Value In this whitepaper, you will learn how this high-speed storage technology has tremendous potential to support I/O-intensive and/or latency-sensitive applications.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cloud Computing White Papers | Webcasts