Data protection compliance in cloud becoming easier

24 juillet 2012

Regulations concerning data protection used to present a major holdup for companies looking to move into a cloud environment. Putting sensitive data in the hands of a third-party provider presented security concerns, not to mention issues with location for companies doing business in the the European Union.

However, a study from InformationWeek found that as the world surrounding cloud computing data security has grown more stable, companies are feeling more confident in their ability to meet the requisite compliance regulations.

Prepared for compliance
Despite a wide range of regulations forcing the hands of many companies - 35 percent must comply with four mandates or more - most feel more prepared to deal with the requirements than recent studies indicated, when cloud uncertainty made compliance seem nearly impossible. Seventy-eight percent of respondents were fairly comfortable with the resources they had and their ability to ensure compliance with the various data security and other regulations.

Concerns surrounding third-party practices remain, as the public cloud continues to be a force in IT departments throughout the business world. As more outside companies gain access to private data, organizations are forced to take responsibility for security practices outside of their control. Because of this, the fear of a data breach still looms large.

Common practices
Although many companies have multiple mandates that they must be compliant with, some of the more common and publicized requirements are more likely to be adopted. Security measures laid out by the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) standards highlighted the most common practices used by companies.

Endpoint protection, a requirement under HIPAA, PCI and a litany of other compliance standards, was the most common response when companies were asked what they would choose if they could only fund three controls. Coming next were application firewalling and identity management, with data loss prevention and similar secondary controls being left out by many respondents.

Further concerns
An inherent lack of control over data security in the cloud, and the subsequent impact that has on compliance, was a major concern for data protection authorities in the European Union, according to an opinion published by the region's Working Party on the issue.

Much of this concern is due to the classification of providers and the companies that contract them. Companies that use external cloud services would still be classified as "data controllers," while the cloud providers would largely fall under the term "data processors." Under EU regulations, the controllers are much more liable for the protection of data than are processors.

-McAfee Cloud Security