The Compliance Conundrum

Written by

Businesses are busy trying the make sure they have everything in place to satisfy the requirements of the Global Data Protection Regulations (GDPR), which come into force in fewer than three months. Companies in the EU are now having to spend more time and money than ever on compliance. 

The fear of the complexity of managing compliance in new infrastructure, as well as the effort already involved in ensuring existing systems are ready to go, is prompting many businesses to shy away from cloud, despite the many benefits such services offer.

Concerns are primarily due to a misconception that cloud platforms, with data held by third parties on shared systems, will be a more difficult undertaking than traditional in-house systems and potentially less secure, but the truth is very different.

Public cloud services can be extremely secure and often can be a more secure option than in-house systems. So, what exactly is behind this misconception and why should businesses be trusting public cloud services with their compliance needs? 

Privacy please
On the face of things, it’s easy to see why many people would assume on-premise infrastructure is more secure and easy to manage. In theory, businesses know exactly where their data is being stored and who has access to it, both of which provide comfort for organizations.

They can also design the architecture to suit their own specific needs and preferences, as well as reducing the risk of data loss if a public cloud provider goes out of business. However, firms would be wise to remember that operating their own private cloud places the responsibility of security and compliance squarely on their shoulders. Businesses are at the mercy of the whims of nature and the resilience of their local power grid, potentially leaving them helpless if something goes wrong.

It also leaves them vulnerable to disgruntled employees and internal data theft. Employees may have easy access to confidential data, sometimes with very little to stop them from stealing corporate information simply by pulling a disk from a server and leaving the building with it.

So just because infrastructure is in your data center doesn’t mean it is inherently more secure, resilient or suitable to meet the needs of regulatory compliance than public cloud.

Going public
While some businesses may feel more comfortable knowing their data is being stored within their own walls, data location is only one small aspect of security and compliance. Along with the provision of innovative new services to enable business growth, it is the job of public cloud providers to protect their customer’s data. A central component of their value proposition, therefore, is the delivery of systems, tools and continuity plans that make their cloud infrastructure safe and secure.

Public cloud providers are also likely to carry out software patching on a more regular basis which is essential to manage compliance. Businesses running their own private clouds will generally be slower to patch security gaps, leaving themselves exposed to potential data breaches and compliance holes.

The recent Spectre and Meltdown vulnerabilities are a great example of this, with Google, Microsoft and Amazon all patching their system quickly after the problems became public. Meanwhile many businesses will still be trying to determine what systems they need to patch and how they go about doing it.

Furthermore, public cloud providers tend to have highly skilled and experienced IT teams, which isn’t something that can be said for all businesses. The skills gap issue is an extremely prevalent one in the cloud world and businesses are finding it harder than ever to attract talented developers. This is causing problems when it comes to addressing the more technical compliance challenges, which could be solved using third-party infrastructure.

Add in the fact that businesses will not be alone when defending against attacks and the skills argument provides compelling support for the merits of using third-party providers to ensure legislative compliance.

The combination of these factors means that in many cases public cloud can actually be a better option than a private cloud for systems with high security and compliance requirements. It can certainly be a less complicated option for businesses and help to give them peace of mind amidst shifting regulatory landscapes.

As end-users become far more sensitive to security of their personal data and initiatives like Open Banking come into effect, the challenges are only going to grow. That’s why organizations today, rather than shying away from public infrastructure, should be embracing them as part of a hybrid cloud offering on their journey to compliance.

What’s hot on Infosecurity Magazine?