Information Technology

The compliance conundrum

By Mark Baker, Field Product Manager, Canonical
Information Technology
Published: 3 April 2018

With the Global Data Protection Regulation (GDPR) on the horizon, businesses that wish to operate in the European Union are having to spend more time than ever thinking about compliance.

Not only does all personally identifiable customer data need to be accounted for – a task that is easier said than done for many organisations – internal processes also have to be updated and employees need to be educated to ensure the compliance deadline of 25th May 2018 is met.

Of course, GDPR is just one legislative challenge facing businesses. Financial services firms, for example, have a revamped version of the Markets in Financial Instruments Directive (also known as MiFID II) to respond to, while the UK telco industry is facing the prospect of new legislations being enforced after Brexit.

And as falling foul of industry regulations has the potential to result in massive financial penalties, as well as the threats of reputational damage and a loss of customers, organisations simply can’t afford to be complacent.

However, fear of the complexity of managing compliance in new infrastructure as well as the effort already involved in ensuring existing systems are ready to go, is prompting many businesses to shy away from cloud, despite the many benefits such services offer. Concerns are primarily due to a misconception that cloud platforms, with data held by third parties on shared systems, will be a more difficult undertaking than traditional in-house systems and potentially less secure, but the truth is very different.

Public cloud services can be extremely secure and often can be a more secure option than in-house systems. So, what exactly is behind this misconception and why should businesses be trusting public cloud services with their compliance needs?

Privacy please
On the face of things, it’s easy to see why many people would assume on-premise infrastructure is more secure and easy to manage. In theory, businesses know exactly where their data is being stored and who has access to it, both of which provide comfort for organisations.

They can also design the architecture to suit their own specific needs and preferences, as well as reducing the risk of data loss if a public cloud provider goes out of business. One could argue that such a setup would be particularly appealing to businesses operating in highly regulated industries, such as healthcare and financial services, which need to have greater visibility and control over how their data is managed.

However, firms would be wise to remember that operating their own private cloud places the responsibility of security and compliance squarely on their shoulders. Businesses are at the mercy of the whims of nature and the resilience of their local power grid, potentially leaving them helpless if something goes wrong.

It also leaves them vulnerable to disgruntled employees and internal data theft. Employees may have easy access to confidential data, sometimes with very little to stop them from stealing corporate information simply by pulling a disk from a server and leaving the building with it. Often employees can also connect USB drives which have been used in home systems and may contain malware or viruses. Huge faith is placed in the firewall as an effective means of keeping intruders out, yet backdoors may well exist in the form of legacy and unsecured modem connections, as well as poor access control processes that leave user credentials in place long after the relevant employee has left the company.

So just because infrastructure is in your data centre doesn’t mean it is inherently more secure, resilient or suitable to meet the needs of regulatory compliance than public cloud.

Going public
While some businesses may feel more comfortable knowing their data is being stored within their own walls, data location is only one small aspect of security and compliance.

Along with the provision of innovative new services to enable business growth, it is the job of public cloud providers to protect their customer’s data. A central component of their value proposition, therefore, is the delivery of systems, tools and continuity plans that make their cloud infrastructure safe and secure.

This applies to both virtual and physical means of protection. Corporate data will be stored in a secure facility with multiple layers of physical security that are often not present if businesses opt to run their cloud infrastructure in-house.

And, with competition in the market continuing to increase at a rapid rate, ensuring compliance is not only a valuable competitive advantage for those businesses offering public cloud services, but also essential to gaining customer trust and in turn, loyalty. In this respect, smart cloud providers such as City Cloud are leading the way with a value proposition focused very much around regulatory compliance.

Public cloud providers are also likely to carry out software patching on a more regular basis which is essential to manage compliance. Businesses running their own private clouds will generally be slower to patch security gaps, leaving themselves exposed to potential data breaches and compliance holes. The recent Spectre and Meltdown vulnerabilities are a great example of this, with Google, Microsoft and Amazon all patching their system quickly after the problems became public. Meanwhile many businesses will still be trying to determine what systems they need to patch and how they go about doing it.

Furthermore, public cloud providers tend to have highly skilled and experienced IT teams, which isn’t something that can be said for all businesses. The skills gap issue is an extremely prevalent one in the cloud world and businesses are finding it harder than ever to attract talented developers. This is causing problems when it comes to addressing the more technical compliance challenges, which could be solved using third-party infrastructure.

Add in the fact that businesses will not be alone when defending against attacks and the skills argument provides compelling support for the merits of using third-party providers to ensure legislative compliance.

The combination of these factors means that in many cases public cloud can actually be a better option than a private cloud for systems with high security and compliance requirements. It can certainly be a less complicated option for businesses and help to give them peace of mind amidst shifting regulatory landscapes.

As end users become far more sensitive to security of their personal data and initiatives like Open Banking come into effect, the challenges are only going to grow. That’s why organisations today, rather than shying away from public infrastructure, should be embracing them as part of a hybrid cloud offering on their journey to compliance.