Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
5 Comprehensive Cloud Compliance Standards Every Business Needs to Know
Over the years, there has been a massive uptick in companies migrating to the cloud. It's easy to see why - the advantages are many, and, in all but a few cases, it makes a great deal of sense to get up there. There are many people now working remotely or in a hybrid role, with companies implementing techniques to ensure remote employee engagement and clarity in their online communications.

However, what might not be so clear is what compliance standards a company takes on board when they adopt cloud infrastructure. We'll take a look at five of them.

Why are there cloud compliance standards?

They benefit the company

A company offering cloud services opens itself up to various opportunities but also, unhappily, a great many threats. The existence of cloud standards means that companies can protect themselves, especially when it comes to improving data security.

They benefit the public

As we'll see, the compliance standards that pertain to a cloud company aim to grant the public greater security and privacy.

Who sets the standards?

There are several organizations responsible for setting cloud compliance standards. These include professional and technical organizations such as the Cloud Working Group and the European Telecommunications Standards Institute.

Two of the most significant compliance standard bodies are the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO).

NIST develops standards primarily for government use. Meanwhile, ISO sets international standards for numerous technologies across the globe.

5 cloud compliance standards

1.   General Data Protection Regulation (GDPR)

gdpr-laptop 

GDPR is an ordinance that lays a framework of compliance standards across any company dealing with the data of an EU, EEA, or UK citizen. So, even if your company is based in the US and has no interest in proceeding to register co uk domain, you may still be subject to GDPR provisions.

Here are the fundamental principles of GDPR:

  • Data must be used fairly and legally, and transparency must be in place.
  • Data must be used only for the specified purpose.
  • Data use must be limited to what is necessary for that purpose.
  • Data must be accurate and up to date.
  • Data must be kept only for as long as necessary.
  • Data must be handled in a secure manner.

Data relating to especially sensitive areas, such as ethnicity, are covered by enhanced legal protections.

It's one of the many reasons why business data management is so vital. GDPR transgressions are severe, and security breaches lead to hefty fines (up to 20 million Euros or 4% of annual turnover, whichever is greater).

2.   Health Insurance Portability and Accountability Act (HIPAA)

As the name suggests, this legislation covers data relating to health records. Specifically, it deals with protected health information (PHI) and the identifiers that can connect given data to an individual. PHI identifiers include names, Social Security numbers, and medical record numbers.

While it's incumbent upon the entity handling the health record to be mindful of the need to protect subject anonymity, there are no specific techniques for this. Instead, it's up to the organization to develop HIPAA observant policies covering areas such as data storage and file transfer.

Again, transgression penalties can be substantial (up to $1.5 million, plus potential restitution payments to the individual affected).

This insurance covers your health records, but it is focused on privacy issues relating to your personal information. It doesn't replace health insurance, to cover your medical bills, or product liability insurance for injuries sustained as a result of a faulty product.

mobile-pay 

3.   Payment Card Industry Data Security Standard (PCI-DSS)

If you're a business accepting payment card transactions, you will likely need to comply with PCI-DSS regulatory requirements.

Certain elements have to be in place to demonstrate healthy security, including a cloud firewall and a program of regular testing.

Organizational policies must include staff training to ensure compliance throughout all payment card usage areas. Such security policies are vital in protecting card user data.

4.   California Consumer Privacy Act (CCPA)

Although highly stringent in its compliance requirements, the CCPA is limited in its scope to protecting Californian consumers against data abuse from companies that:

  • have gross annual revenues of $25 million or higher or;
  • deal with the personal information of 50,000 or more people or;
  • derive 50% or more of their annual income from selling personal information

Data security controls must be put in place so that throughout the organization, priority is given to data care in business communication. What's more, there should be a corporate-wide understanding of how data's used and where it's stored.

5.   Federal Risk and Authorization Management Plan (FedRAMP)

Unlike the other compliance standards listed here, FedRAMP's compliance frameworks are voluntary for private-sector companies. However, given the somewhat fragmented nature of cloud industry standards in the US, it's wise to observe FedRAMP tenets as this will ensure your company is compliant with mandatory regulations.

federal-building 

However, governmental cloud users must comply with FedRAMP rules. With that in mind, a private company working with the government should do so, too.

What next?

With various cloud compliance standards, it can be confusing to find the ones that apply to your organization.

However, there are certain themes that most of these requirements have in common, including encryption and a zero-trust outlook. If you can ensure that such practices are in place throughout your company, you'll be well on your way to being cloud compliant, wherever you are.

##

ABOUT THE AUTHOR

Francis King - Customer Acquisition, OnlyDomains

Frances-King 

Francis leads customer acquisition at OnlyDomains, a domain management solution that offers global services and support that can be accessed from anywhere in the world - it lets you buy ae domain names for example. Francis has been a part of the team since 2009. He is our go-to guy for everything online advertising. Originally from Melbourne, Francis cannot go a day without lifting weights; he is considering taking on Jiu-Jitsu next. Francis has written for domains such as Zumvu. Here is his blog.

Published Wednesday, December 07, 2022 7:35 AM by David Marshall
Get This Featured White Paper: Ovum: Igel's Security Enhancements for Thin Clients
You may also be interested in this white paper: Ease of Management and Flexibility Lead to Long-Term Relationship for IGEL at Texas Credit Union
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
CC2023
big-5g
DTX2023
connected-america
kubecon-eu-2023
disrupt2023
vExpert
Calendar
<December 2022>
SuMoTuWeThFrSa
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567