When considering a cloud deployment, remaining compliant is paramount. Here are some best practices for the cloud in three industries known for stringent compliance.
As enterprise organizations continue to race to the cloud, there's one stumbling block that could trip up many of these companies—compliance. This is especially true if an organization is a part of a heavily regulated industry such as healthcare, finance, or the public sector.
At the 2015 AWS re:Invent conference in Las Vegas, Nevada, a compliance summit was hosted to discuss compliance in these three industries, which can be instructive for anyone doing a cloud deployment.
By investing in the cloud, a business must be even more engaged in its compliance strategy due to the number of new issues that arise. If an organization fails to remain compliant through the transition to the cloud, it risks losing trust among users and falling into hot water with the regulating authorities.
The core difference starts with infrastructure where an organization with on-premise solutions may still be using physical hardware. In the cloud, you're merely dealing with code. Delivery processes also differ, with cloud apps focused heavily on automation and on-premise companies using manual delivery processes. Additionally, architecture access controls, systems updates, and monitoring can all differ between on-premise and cloud-based businesses.
Here are some best practices from these three industries for staying on top of compliance as you integrate the cloud.
Healthcare is the first vertical that comes to many people's minds when it comes to compliance because of the well-known regulations around HIPAA and EMR.
Peter Spellman is the CTO and founder of TraceLink, a company that does tracking and tracing for counterfeited drugs. They deal with pharmaceutical serialized products, and thus have billions of data points to manage.
Like most medical organizations, Spellman's company has to manage communication among customers and each other, as well as between customers and government entities. Because of this, he said, they are heavily focused on making sure workload regulation starts at the network level, as with certain AWS products, and encourage other organizations to do the same.
At pharmaceutical giant Merck, they have a single regulated research and development application running on AWS and a qualified AWS infrastructure relative to their systems development life cycle (SDLC) policies.
Merck's Dan Dziadiw said they've been able to accomplish this by integrating the cloud into the following four areas:
- SDLC and cloud guidance
- Security controls and design
- Info risk, privacy, and data management
- Supplier management considerations
To close the session on healthcare, Bruce Kratz of Sparta Systems shared his company's story of their journey to the cloud with AWS. Kratz said his company chose AWS for a variety of reasons, but their focus on life sciences and their proven compliant validated workloads stood out. If you can, seek out a cloud provider that understands the unique challenges your healthcare company faces in regards to compliance.
Financial services is another vertical that is well-known for strong compliance needs. At the second session in the Compliance Summit, four company leaders took the stage to talk about compliance in finance.
Tony Spinelli of Capital One opened the session by explaining how a strong governance model and security by-design has helped Capital One with compliance. Talent, he said, is also a key differentiator, noting that Capital One is hiring about 40 people a month to deal with security and compliance. Companies should focus heavily on talent to make sure the team handling these issues is the best it can be.
On the developer side, there are a few specific things to pay attention to. Daniel Shaefer, DevOps team lead at Dwolla, said that his company has achieved strong authentication, identity access management, and segmentation of resources by using AWS products and gave some best processes on the developer side for compliance.
For Shaefer, it all starts with infrastructure. In addition to taking an iterative approach to infrastructure, Shaefer said users should focus on infrastructure as code, so that all of your changes have a clear audit trail.
Additionally, Shaefer said, make sure you properly understand your compliance requirements and develop a process that accomplishes your organization's compliance goals while allowing for quick and easy future development. Don't get too flashy, just build something that works well.
Those who have spent any time in the public sector know that government is known for moving slowly. So, it makes sense that the increased speed offered by the cloud could be a huge advantage for public sector organizations.
The city of Houston recently built out a wireless system and upgraded its water meters so that they went from reading water meters once a month to 24 times a day. Justin Ewald, who works with Public Works and Engineering for the city of Houston, said that by using AWS, his team was able to ensure PCI compliance as they scaled out their new system. As organizations consider cloud partners, scalability should be a mission critical consideration.
But, you still need to get your team on board. Scotty Ellis, with the Baylor College of Medicine in Houston, closed out the session by recommending a combination of services and personal training to better educate employees. Administrators must take an active role in training and encouraging employees to make sure the cloud deployment is successful and that it remains compliant.
- 5 mandatory IT skills for successful compliance officers
- Key to HIPAA compliance is understanding your data center and cloud risks
- Day by day: Enterprise mobility, BYOD and PCI DSS Compliance
- Yes: Healthcare can balance mobility and BYOD with HIPAA compliance