In cloud environments, laws and regulations can increase the scrutiny around information security and data compliance issues, including where data is stored and processed by a cloud computing service.
When you are provisioning a virtual private cloud in Amazon Web Services, a simple click can move your virtual private cloud from the United States to the European Union, Asia Pacific or South America. But what happens to cloud data compliance in a software as a service (SaaS) implementation, where you don’t make the infrastructure location choices?
In this video Mike Chapple, University of Notre Dame’s senior IT director for service delivery, addresses four areas to consider to maintain cloud data compliance when you migrate workloads and assets to the cloud:
- The shared responsibility model
- Data locality issues
- The impact on IT security operations
- Documentation from service level agreements to audits
Data security and compliance responsibilities will vary based upon the cloud computing service model in use, according to Chapple, who is heading up a Cloud First initiative to migrate 80% of Notre Dame’s IT services over the next three years. Most cloud services fall into one of three categories ranging from "finished" software to customizable platforms and lower-level infrastructure. "Generally speaking," he said, "customer responsibility for security increases as you purchase lower-level services."
In an infrastructure as a service model, where the customer installs and configures the operating system, it is clearly the enterprise's responsibility to maintain the security of that configuration. In a SaaS approach, enterprise responsibility is typically limited to those configuration settings that the provider permits the customer to alter and the security of data fed into the service.