Compliance

Enterprise Compliance in the Cloud

There are various industry standards that help enterprises manage compliance. These include, most notably SAS 70, PCI, HIPAA and ISO 27002. Virtual Ark works with top cloud providers to ensure the necessary standards are available. Each of these standards comes with controls that govern operation of a cloud provider’s data center as well as the applications. SAS 70 encompasses a variety of controls in different categories (physical security, application security, security policies and processes, etc.). SAS 70 Type I involves an independent auditor evaluating a set of controls and issuing an opinion, while Type II is based on at least six months of active data. The savvy cloud customer will want to know not just whether a cloud is SAS 70 Type II compliant, but what controls they selected in order to get there. PCI is a second major security standard in cloud computing and involves controls for payment processing for credit card processing. HIPAA is a subset of PCI, which means that if a cloud is PCI compliant, it is also HIPAA compliance.

Compliance for cloud based applications involves building blocks and the cloud provider’s physical infrastructure is the foundation. Infrastructure controls include things like protecting against natural disasters, assuring reliable electrical power (with backup generators) in the event of outages, and backing up data in the event of a hardware failure. Cloud providers also control processes and policies to control access the data center and internal security reviews. Application level controls ensure that data must be encrypted once it leaves the data center with encryption keys under enterprise control. In addition to the various compliance standards, Virtual Ark does even more to maximize security. Some data and applications have regulatory requirements where compliance standards and audits are required. Enterprises want to know that their data and applications are protected. Virtual Ark collaborates with its cloud platform partners to ensure the appropriate division of responsibility. While the cloud provider needs to address infrastructure operation and protection, Virtual Ark is responsible for ensuring compliance for the application, and ultimately the overall solution.