Maintaining Compliance In The Cloud: Regulatory Standards Are Only a Blueprint

One of the greatest benefits of cloud computing is the ability to quickly create and deploy compliant IT platforms and maintain them efficiently.  Despite what many people believe, maintaining regulatory compliance in the cloud means much more than ensuring your provider has checked the "compliance box". Regulatory standards only serve as a blueprint to achieving strong security.  Real compliance involves regularly reviewed processes, physical security, data segmentation and isolation, specific security measures, and most of all, commitment.

So, what does it take to maintain security and ultimately compliance in the cloud?  Below, we'll overview some of the common compliance standards and discuss the special requirements involved.  This is by no means a complete list of the compliance requirements (some of these standards have manuals thicker than telephone books), but rather a broad survey of some of the most common security standards and the concepts involved in maintaining them.

HIPAA and HITECH Act

HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act are designed to protect Personal Identifiable Information (PII) related to patient information.  Some of the items you'll need to support a HIPAA compliant environment include a defense in depth strategy, which protects the environment at the border with firewalls, and Intrusion Detection and Prevention systems (IDS / IPS).  You'll also need the ability to encrypt the patient data both in transit and at rest.

CJIS (Criminal Justice Information Systems)

Organizations who have access to criminal records or work with the FBI may require CJIS compliance.  CJIS protected data is usually shared between local, state, and federal law enforcement agencies.  This data typically requires encryption in transit and at rest, along with logging and auditing capabilities for who has accessed or manipulated ...