As you store more and more mission-critical data in Salesforce and other cloud-based applications, compliance becomes an ever-looming presence. GDPR, PCI DSS, HIPAA, SOX, FFIEC, the California privacy protection act – the list can sometimes feel overwhelming, depending on the industry in which you operate. Unfortunately, there may be a number of cloud compliance misconceptions that could make it difficult to achieve the right posture.
Here, we’ve gathered four myths about cloud compliance designed to help you maintain adherence to specific regulations and security frameworks.
Myth #1: The cloud application provider is responsible for the security of my data.
While this is a list of compliance misconceptions, we’ll start with a common cloud data security misconception. After all, the goal of many regulatory standards and security frameworks is to ensure that customer data is being handled in a proper manner and that access is controlled. If it’s your data, the onus is on you. While the provider may provide you with a platform and basic security (e.g., encrypted sign-on), you can’t rely on them alone to ensure your data is handled securely. Instead, focus on creating and maintaining internal policies and procedures and implementing end-user training.
Myth #2: My cloud application provider is compliant with PCI DSS (or any other regulations or standards), so we are compliant, as well.
A provider like Salesforce.com may itself be compliant with regulations like PCI DSS, GDPR, and HIPAA. However, this does not mean that simply using the application makes you compliant with the regulations relevant to your organization. Not only that, but if you’re found to be noncompliant or to not have the proper standards in place, you may be penalized – either in place of or in conjunction with the cloud provider holding your data. It’s up to you to appropriately monitor user access, manage security controls, and any other standard or control that would dictate how you collect, store, handle, and transfer data.
Myth #3: They must follow our compliance requirements if they serve our industry.
This is a myth that’s especially prevalent when dealing with any smaller, lesser-known cloud application provider. If you’re required to adhere to HIPAA, SOX, PCI DSS, or any other regulation, make sure the provider adheres to those same regulations. Another scenario may be that, while the provider is capable of handling the data, you may be using the application in a way it was never designed to be used. Make sure you’re aware of encryption levels and any other aspect of the cloud application configuration that might preclude you from storing specific types of data in the application.
Myth #4: The cloud provider will back up and retain my data.
A lot of compliance bodies require some form of business continuity or disaster recovery, including a policy for restoring regulated data. And while a cloud provider may back up your data, they may not retain it for the amount of time required by policy or law. Make sure you have the proper configurations in place should something occur.
At the end of the day, compliance is the shared responsibility of the customer and the cloud application provider, and you cannot leave much to another entity. It’s important to take control of your own data governance and monitor for specific types of access and activity to demonstrate compliance. Use this list of cloud compliance misconceptions as a guide for bolstering your overall compliance, and ensure that nothing falls through the (often costly) cracks.