Contact Us

Cloud Data Compliance Requirements and Solutions

Cloud Data Compliance Icon

It’s already challenging enough securing data in any cloud-enabled environment – whether it’s stored in your own virtualized data center or in one or a number of public clouds.

However, when your data is housed in a multi-tenant environment or managed by a cloud service provider, there are additional cloud data compliance issues you need to contend with in your efforts to maintain control over your data.

Who is responsible for data protection in public cloud computing?

In short, enterprises are liable for the data stored in the cloud. Not necessarily your cloud service provider or anyone else in the supply chain. Although some emerging regulations like Europe's General Data Protection Regulation (see below) may attempt to make service providers more accountable, ultimately it is the responsibility of the data owner to properly secure that data across cloud-enabled environments.

Gemalto's proven SafeNet Identity and Data Protection solutions turn any cloud environment into a trusted and compliant environment by enabling you to solve the critical challenges of data governance, control, and ownership - no matter where your data resides, or how you choose to protect your data - on premises or in the cloud.

What makes cloud data compliance so challenging?

The lack of physical control, or defined entrance and egress points, bring a whole host of cloud data security issues, including:

  • Data co-mingling
  • Privileged user abuse and cloud super-admins
  • Snapshots and backups
  • Data deletion
  • Data leakage
  • Geographic regulatory requirements
  • Many more

What are the cloud data compliance requirements to know?


General cloud compliance requirements

As more specific standards develop to protect data and ensure the privacy of individual, organizations are being challenged to ensure security and compliance, on premises and also in cloud-enabled environments. Most of the standards are not specific to cloud computing but are sufficiently general so you can apply them to your cloud-enabled environments.

These include:

ISACA's Control Objectives for Information and Related Technologies (COBIT) has evolved to be a well-recognized IT risk and controls framework. The COBIT framework is platform-agnostic, both in type and complexity, enabling its extension to cloud governance with ease.

It has sufficient depth to address many of the technical aspects of cloud computing as well as providing defined risk assessment measures.

ITIL (Information Technology Infrastructure Library) is a well-established set of practices for IT service management to manage risk of reliability, stability, resilience and security by providing cross-collaboration between teams.

This can certainly be applied to the management of cloud services. It has been claimed by DevOps that ITIL is too slow and rigid but their goals are aligned.

ISO/IEC 20000-9 addresses the application of ISO 20000 to cloud services. Published in March 2015, this guide confirms ISO/IEC 20000 applicability in a variety of cloud-enabled environments including IaaS, PaaS and SaaS, across public, hybrid and private deployment models.

SSAE 16 (Statement on Standards for Attestation Engagements) is an audit standard which can be applied to cloud service providers to focus on controls in place at the service provider organization and they are more oriented towards accountancy and financial activities.

SSAE 16 reporting helps service organizations comply with the requirements of Sarbanes Oxley (section 404) to demonstrate effective internal controls covering financial reporting.

Local/vertical cloud compliance requirements

In addition, there are standards and frameworks which operate at country or regional levels or which apply to specific verticals or to specific types of data. Some or all may apply. Some examples are listed below:

FedRAMP is a US government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Although designed for federal agency use, it can be used for both government and commercial cloud computing systems.

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.

This regulation opens the door for non-EU cloud providers and hosting providers to enter the market but also makes it harder to process personal data compliantly in cloud-enabled environments, by making the service providers also liable for data breaches and other rule violations. The GDPR will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995.

HIPAA is a standard that relates to the handling of health related information, principally in the USA. As providers and users take advantage of the benefits of the cloud, keeping health and other PII is more critical than ever before.

PCI-DSS is a standard relating to the security of payment card data. The latest update to PCI-DSS 3.2 released in April 2016, added additional requirements for service providers.

Note: This list is not meant to be a comprehensive guideline. Contact us for more information about ensuring compliance in cloud-enabled environments and across your organization as a whole.

How can Gemalto’s SafeNet Identity and Data Protection solutions help?

Faced with an overwhelming number of security standards, from advisory standards to security frameworks and standards specifications, you can rely on Gemalto’s SafeNet Identity and Data Protection solutions to help you navigate security in cloud.

With these solutions you can:

  • Leverage best-in-class encryption and key management to stop data from being exposed to cyber-criminals
  • Ensure that your data is secure and that only you have control of that data
  • Provide reports to attest to your data ownership and access
  • Ensure all requests to access your encrypted data – including subpoena requests or other lawful orders – must be directed to you, the sole encryption key owner.
  • Enforce your right to be forgotten by destroying the encryption keys to data if necessary
Cloud4Com Logo
By adding the ability to offer encryption-as-a-service through Gemalto along with our IaaS solutions, we are helping our customers move to the cloud with confidence. As a service provider, Gemalto SafeNet ProtectV enables us to differentiate our offerings from other cloud providers, build greater relationships with customers, and create more revenue opportunities.
- Tomas Novak, CTO, Cloud4com
Cloud Data Compliance - Next Step Image

What's the next step?

That one's easy. Get the compliance help you need.

Or you may want to check out these related resources:

Cloud Security Resources

451 Research Highlights Gemalto’s New SafeNet Data Protection On Demand

451 Research examines Gemalto’s Security as-a-service platform with a data protection marketplace to click and deploy security services. Discover their findings.

Get this resource

Key Criteria for Effective Protection of Virtual Workloads in Cloud-Enabled Environments - White Paper

This paper covers virtualization and cloud data protection challenges, key criteria for protecting virtual workloads, and capabilities to utilize to secure virtual workloads.

Get this resource

Three Steps to Securing Data in Any Cloud Environment - eBook

Is your company new to the cloud? Read Gemalto’s “Your Data. Their Cloud.” to learn the benefits of the cloud, how to control the cloud with cloud-base applications, encrypt and secure da...

Get this resource

The Global State of Cloud Data Security Infographic

Commissioned by Gemalto, the Ponemon Institute recently surveyed 3,476 IT and IT security professionals on Gemalto's behalf to learn about their organizations' cloud data security pr...

Get this resource

Back to Top

Contact Us

Thank you for your interest in our products. Please fill out and submit the form to receive more information about Gemalto or to be contacted by a Gemalto specialist.

Your Information

* Email Address:  
* First Name:  
* Last Name:  
* Company Name:  
* Phone:  
* Country:  
* State (US Only):  
* Province (Canada/Australia Only):  
Comments:  
 


By submitting this form I agree to receive information from Gemalto and its affiliates as described in our Privacy statement.