Cloud computing: You can't outsource your compliance obligations

By Thomas J. Trappler, Computerworld |  Cloud Computing, compliance

When it comes to moving functions to the cloud, there's no such thing as being too thorough.

Trappler honored

Thomas Trappler was recently named a " Cloud Luminary" by CA Technologies, along with Vivek Kundra, Nicholas Carr, Timothy Chou and others. Computerworld congratulates him for receiving this honor.

Say you've got an application that's been running in-house but is now nearing end of life. You find a cloud service that can achieve the same result. You evaluate the vendor's infrastructure and security mechanisms, processes and procedures and determine that they're sufficient to meet your needs. You're looking forward to outsourcing this to the cloud and relieving yourself of all the associated responsibilities. It's all smooth sailing ahead, right?

Maybe, but unfortunately, there's one more thing: You can't outsource your compliance obligations to a cloud vendor.

If you move a function to the cloud that's governed by legal or regulatory requirements and later your company falls out of compliance due to an error on the cloud vendor's part, the law won't go after the vendor - it will come after you. So you need to ensure that the cloud vendor can fully comply on your behalf.

What kinds of laws might apply in a cloud scenario? Two recent clients of my "Contracting for Cloud Computing Services" seminar offer good examples.

The first is in the healthcare industry and was contemplating using a cloud service that would involve personal health information. Of course, such information is covered by the Health Insurance Portability and Accountability Act (HIPAA), which mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data. Under HIPAA, the use of a cloud service is viewed as disclosing information to a third party. Any cloud vendor that handles your organization's HIPAA information should be subject to a business associates contract, under which the vendor essentially affirms that it will handle the data in compliance with HIPAA.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question