By Deepa Salem, Vice President and Research Director, SAPInsider A majority of respondents (55%) in SAPinsider’s recent Data Warehouse and Data Management in the Cloud research report stated that regulatory compliance is a big concern for storing and managing data in the cloud. Compliance, like security, is a non-negotiable goal, and one that is increasingly complex with proliferating requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union, as well as state-level mandates and industry-specific rules. Maintaining compliance on-premise has become a significantly burdensome and expensive function. Cloud computing has clearly compounded this challenge with additional requirements such as encryption, auditing, data location, and data separation rules. Balancing these requirements with the need to provide business users with adequate data access can become onerous. These compliance requirements can also increase cloud deployment costs to the point where they no longer make financial sense. While these challenges have not slowed down cloud adoption noticeably, they have led to a lack of confidence and data breaches. They also drive the continued appetite for private cloud that provides the benefits of cloud while helping companies meet data separation and audit requirements. In a survey of IT and IT security practitioners in Data Protection and Privacy Compliance in the Cloud by Microsoft and the Ponemon Institute, 53% of U.S. respondents and 60% of European Union respondents said that they are not confident that their organization currently meets their privacy and data protection requirements. What is driving this low confidence in cloud data compliance among IT and IT security professionals? While several factors are involved, organizations can increase confidence in their IT staff by asking these questions to avoid common pitfalls:

1. Are compliance personnel adequately involved in the evaluation and selection of cloud providers? Compliance experts with expertise in the area are more equipped to learn, evaluate, and design their cloud deployment if they are deeply aware of the choices. One of the major ways companies are addressing this massive challenge is by selecting cloud providers that excel in compliance functionality as well as offer strong service level agreements (SLAs) for data compliance.
2. Do compliance personnel have transparency on where data is and who has access to what data? This transparency was more readily available on-premise. Not having the same transparency or the tools to gain such transparency with respect to cloud data can be challenging.
3. Is there clarity on the roles and responsibilities of who owns security and compliance within the cloud service provider and internal teams? Finger-pointing during data incidents or exposure is clearly not the right outcome. Onboarding processes should be very clear on the processes and handovers.
4. Are compliance experts evaluating, selecting, and deploying various tools for cloud data management, including tools provided by cloud service provider as well as third-party tools? Cloud providers are increasingly offering deeper functionality for managing privacy and compliance in the cloud. They provide tools such as conducting impact assessments, classifying and tagging data, tiering data based on confidentiality, and automating compliance checks. Proper planning is required to deploy these tools effectively and train personnel to ensure compliance.
5. Are the cloud SLAs set up with clear metrics, timelines, and processes? The right metrics that are both measurable and meaningful should be selected, a task that many cloud customers ignore until it is too late. Most cloud providers limit their liability for data breaches through non-negotiable contracts. Evaluating the metrics, roles and responsibilities, security and privacy requirements, failure management protocols, disaster recovery plans, etc., and negotiating for the next incident are critical. The level of negotiating power will depend upon the size of the contract, but more companies are able to negotiate effectively in an increasingly competitive cloud marketplace.

  What Does This Mean for SAPInsiders? For SAPInsiders deploying data on the cloud, early and deep focus on compliance in evaluating cloud providers and subsequently designing a deployment plan is critical.

• Upskill and enable compliance experts to lead the assessment and deployment process so all current and future factors are considered for compliance success in the cloud. Empower compliance experts to be proactive with respect to changing or newer requirements across the globe. A direct relationship between in-house compliance teams and the cloud provider teams will minimize compliance risks.
• Develop, update, and frequently communicate the compliance requirements and their impact so there is a single source of truth across the cloud provider and internal teams.
• Ensure a consistent process and criteria for evaluating cloud service providers, designing a deployment model, and setting up SLAs and metrics. This is especially important with the increasing hybrid, multi-cloud environment.

  There is no doubt that cloud deployment of data is going to increase exponentially. Developing best practices to manage data safely and securely is a vital foundation of success.