What are the experts saying about public cloud services and its effectiveness to help businesses with compliance regulation?

The Global Data Protection Regulation (GDPR) comes into effect on 25th May 2018 meaning any businesses who operate with the European Union will have to spend more and more time on compliance and data security.  The new regulation tasks companies with the need to account for all personally identifiable customer data to be accounted for.

For many businesses, this will cause a huge headache as they strive to update their internal processes and educate employees on the need to ensure compliance and that the deadline is met.  This will be easier said than done for many.

UK companies and the UK telco industry is also facing new legislation with the revamp of the ‘Data Protection Bill’ to be introduced post Brexit. There is more to challenge businesses, such as financial services companies, who have a revamped version of the Markets in Financial Instruments Directive (MiFID) to keep them busy.  The consequences of falling behind with all this legislation can be damaging to businesses as falling foul of industry regulations has the potential to result in massive financial penalties, not to mention damage to reputation and a loss of customers.  Organisations will need to be on their toes, they simply cannot afford to be complacent.

Public Cloud services can be extremely secure and can often be more secure than in-house systems.

Despite the many benefits such services offer, businesses are shying away from the cloud prompted by the fear of complexity in managing compliance in new infrastructure as well as the effort, already involved, in ensuring existing systems are ready to go.

There seems to be a misconception that cloud platforms, with data held by third parties on shared systems, will make it more difficult than in-house systems and possibly less secure, prompting concerns from organisations and the business community.

However, experts say the truth is very different and that cloud services can often be more secure than in-house systems.

It seems many organisations feel more secure having the ability to manage their own infrastructure and designing the architecture to suit their businesses’ own specific preferences and needs as well as reducing the risk of data loss if a public cloud provider goes out of business. They find it easier to manage and, in theory, know exactly where their data is being stored and who has access to it, both of which provide comfort for organisations.

One argument is that such a setup would be particularly appealing to businesses operating in highly regulated industries, such as healthcare and financial services, which need to have greater visibility and control over how their data is managed.

This does mean, however that those organisations operating under their own private cloud spaces take on the responsibility of security and compliance meaning they could end up at the mercy of the whims of nature and the resilience of their local power grid, potentially leaving them helpless if something goes wrong.

There is also the risk of leaving themselves open to internal data theft. Some employees, for instance, may have easy access to confidential data, sometimes with very little to stop them from stealing corporate information simply by pulling a disk from a server and leaving the building with it.  There is also the risk that a employee can connect USB drives which have been used in home systems and may contain malware or viruses.

Firewalls are seen as an effective method of stopping intruders but there are ways that may well exist, in the form of legacy and unsecured modem connections, as well as poor access control processes that leave user credentials in place long after the relevant employee has left the company, to get around this.

Many companies place huge faith in their firewalls but just because infrastructure is in your data centre doesn’t mean it is inherently more secure, resilient or suitable to meet the needs of regulatory compliance than public cloud.

Public cloud providers are more likely to carry out software patching on a regular basis which is essential to manage compliance. Those companies running their own private clouds will generally be slower to patch security gaps.  This could leave them exposed to potential data breaches and holes in their compliance. The recent Spectre and Meltdown vulnerabilities are a great example of this, with Google, Microsoft and Amazon all patching their system quickly after the problems became public.

Meanwhile many businesses will still be trying to determine what systems they need to patch and how they go about doing it.

Furthermore, public cloud providers tend to have highly skilled and experienced IT teams, which isn’t something that can be said for all businesses. The skills gap issue is an extremely prevalent one in the cloud world and businesses are finding it harder than ever to attract talented developers. This is causing problems when it comes to addressing the more technical compliance challenges, which could be solved using third-party infrastructure.

Add in the fact that businesses will not be alone when defending against attacks and the skills argument provides compelling support for the merits of using third-party providers to ensure legislative compliance.

For those embarking on a compliance journey within the cloud – it is a journey of opportunity, make no mistake about it. Finding a platform already meeting compliance needs that gives you control and visibility over data, will bring positive change for your business.

GDPR is here to stay, with updated legislation a foregone conclusion as technology evolves and data proliferates. Cloud offers the flexibility to evolve alongside those demands, allowing businesses to seize the compliance opportunity in order to innovate and succeed with confidence.