Cloud service providers and regulatory frameworks

Cloud service providers and regulatory frameworks

Posted in Articles on Friday, February 15, 2019

by Richard Vester - Group Executive for EOH Cloud Division


Cloud computing offers many advantages such as scalability and cost reduction, but brings with it new challenges such as availability and data privacy risks. To minimise these, a number of governance models exist.

These governance frameworks have been developed to ensure that a company’s cloud usage and implementation is in line with the regulations of the industry they work in, as well as the company’s strategic planning, goals and objectives. Effective governance helps companies realise the business benefits of the cloud by means of effective management of IT investments, as well as risk reduction.

With public cloud usage growing among organisations operating in every sector and every industry, various regulatory bodies have included specific frameworks designed to protect data and help govern the cloud, particularly in sectors where personal or financial information is being moved to the cloud. The most-high profile of these are the financial services sector and government organisations.


Financial frameworks

With financial services being one of the most highly regulated industries in the world, it is no surprise that public cloud use in the industry is subject to stringent regulations and requirements. With increased use of cloud outsourcing services and public cloud platforms, financial services organisations must ensure that their data is secure at all times, and that the cloud provider they use is complaint to all of the appropriate regulations.

This is where the adoption of an enterprise‑class cloud provider with managed public cloud services that deliver private cloud attributes is really important. Not only does this ensure that all of the governance requirements are met, it strategically enables a new operating model for IT: One that is based on business outcomes and has close alignment between IT and the business.

This enables financial services organisations to create an operating model that not only delivers the ability to quickly implement new ideas so that the organisation can tap into new revenue streams and acquire new customers, but one that also lowers complexity and - with that ‑ actively improves risk posture.

Financial institutions must carefully select the cloud provider that is right and suitable for their needs. This will depend on the project in question, the institution’s overall strategy and the regulatory requirements that the organisation must meet. The organisation must also consider what data is appropriate and necessary to migrate to the cloud; remembering that they don’t necessarily need to take an ‘all or nothing’ approach to cloud services. Likewise any cloud provider that an institution works with must have a firm understanding of the relevant compliance landscape.


Government frameworks

As the use of public cloud computing grows, so too are the laws that govern its use increasing. Of increasing concern to these regulations is the jurisdiction of cloud-based data. Laws regulating this differ from country to country, making it even harder for companies that operate across borders to navigate.

GDPR, for example, which regulates data privacy in Europe, and the South African Protection of Personal Information Act (PoPI), would both apply to companies operating in these regions, and any data stored in the cloud would have to be compliant with both. Organisations must therefore take steps, regardless of the number of territories they operate in, to ensure that whatever storage location they choose is adhering to the current privacy laws that apply.

A cloud service provider must be subject to all of a company’s regulatory requirements, as well as their risk management strategy. An effective provider should be able to offer a Data Protection Impact Assessment (DPIA) and a security assessment, as well as be fully aware of – and complaint with – the laws and regulations governing the industry of the business.

For example, Amazon Web Services (AWS), is not only fully compliant with regulations in most countries and industries, it provides a Compliance Center designed to make this process easier. It aggregates any given country’s regulatory position regarding the adoption and operation of cloud services. Key components of an industry—including regulatory approvals, data privacy, and data protection—are explained, along with the steps needed throughout the adoption of AWS services to help satisfy regulatory requirements.