16 - TCnbc Magazine
For the past few years, cloud-based storage has oscillated somewhere between a replacement strategy for existing back-up storage solutions (i.e. tape) and a typically inexpensive but complex real-time storage solution for online web properties and enterprises. Much like the first waves of virtualization, many organizations are struggling to figure out where cloud storage fits within their existing IT infrastructure.
Unlike basic server virtualization, and possibly more critical however, is the determination of if and when cloud storage is even legal. Cloud storage carries with it an extra layer of complexity: compliance.
Data transmission and storage can fall under many regional regulations involving the security and availability of personal information. For regulations such as HIPAA in the United States and the Data Protection Directive in the European Union, organizations are required to adhere to data compliancy laws throughout the life of the data. When data is stored on-premise, as it is with the traditional data center model, an organization has complete control over where the data sits at rest, how the data is stored, and who has access to the data. Introducing cloud storage changes that on-premise control model.
Cloud storage complicates adherence to regulatory compliancy laws in multiple ways. First and foremost are the legal issues with data residency: depending on where the data is physically stored off-premise, it may fall under different regulations than it would when stored on-premise. This is especially true for cloud storage providers that offer multi-national storage solutions. Unfortunately there are still many unanswered – and unchallenged – questions regarding the legal reach of local on data stored out of region. For example, if a healthcare group based in the EU stores backup data with a U.S.-based cloud provider, is that data subject to the EU DPD regulations, U.S. HIPAA regulations, or both?
First and foremost, IT auditors need to come up to speed on the implications of auditing data that’s beyond the organization’s control and beyond the organization’s home borders. While some auditors are worried, many are more optimistic that these requirements provide business opportunities within the security, compliance and auditing community as organizations move data and long-term storage into the cloud.
Storage and compliancy don’t have to derail the business value of storing data in the cloud; there are options available for organizations to help with data regulations in the cloud. One relatively simple solution is to choose a cloud provider that’s solely located within the same region as the organization. Since the data will be stored off-premise in the same geography as it would be if stored on-premise, adhering to local regulations should be relatively straightforward. The organization will need to guarantee that the local cloud provider is completely localized and not using geographically removed data centers for disaster recovery, for example, but it’s a small price to pay if data privacy and compliancy are critical to the business.
There are also newer technologies that help organizations address data privacy laws with off-premise cloud-based storage. Encryption for data at rest and in transit has long been a viable security tool for maintaining privacy, and can continue to be so for cloud-based storage as long as the methods used to decrypt and access that data are kept within the organization’s control. It does no good to store encrypted data in the cloud if the keys used to decrypt that data are also stored in the cloud. By keeping encrypted data in the cloud and access to the data on-premise, organizations may be able to maintain regulatory compliance in the cloud.
Tech Talk: Cloud Storage ~ Are you in compliance?
By Eric Savitz, Forbes Magazine Staff
Click here, to read more
by Eric Savitz