Addressing compliance considerations
Regulations and compliance are driven by government and external factors. To comply with laws, policies, and regulations, organizations have to work to adopt and implement compliance controls.
With HIPAA in healthcare, PCI-DSS, and GLBA in financials, FISMA for US Federal Agencies, and HACCP for the food and beverage industry, you may need to factor compliance needs into your design and architecture.
The terms of your service-level agreement (SLA) should also be consistent with compliance rules, such as the following:
- Backup and data recovery
- Security responsibility
- Data retention limitations
- System availability and reliability
Public cloud vendors are responsible for the physical security of the infrastructure, but many organizations need to do their own firewalls and patching and manage access privileges.
With hybrid cloud solutions, organizations can get the best of both worlds, where the public cloud is for non-regulated data while regulated information lives in the private cloud. The control that the hybrid cloud provides mitigates the risks with data residence regulations.
Take an example from the healthcare industry, in which you need to comply with the HIPAA and other standards. Your goal should be to proactively prevent, detect, and mitigate security threats.
You should consider the following implementations for streamlined compliance:
- Centralized web console: A console to administer, patch, provision, and manage your operating environment.
- Monitor and prevent configuration drift: On-demand and periodic checks to determine any drift from the baseline of the system. You need up-to-date protection against new threats and vulnerabilities.
- Automated security: Implement a system based on HIPAA policies and conduct vulnerability scans, and generate reports.
We looked at how compliance and legal requirements can bring constraints that you need to consider during the design and implementation phase. Mostly, your compliance requirements are non-negotiable, and thus having strategy and tooling that makes it easier for your application teams to implement for compliance and audit teams to review for compliance is important. We will now look at the importance of automating security in your organization.
