By Jim Whalen, Senior Analyst and Consultant, The Taneja Group
Regulated verticals in the U.S. must comply with complex regulations from a variety of government or industry overseers. Healthcare providers are responsible for HIPAA (Health Insurance Portability and Accountability Act), while banks, investment businesses, and insurance firms must toe the line with GLBA (Gramm-Leach-Bliley). Public companies and their accountants prepare financial statements in compliance with SOX (Sarbanes–Oxley), and the credit card industry complies with PCI DSS (Payment Card Industry Data Security Standard). Regulations cover paper and digital data, on-premise and off.
One of the fastest growing areas of compliance is digital data in the cloud. Who is responsible for protecting this data? The business? Their cloud backup vendor? Their cloud owner? The answer is all three, but ultimate responsibility lies with the business.
Organizations who are subject to regulations can assume nothing when it comes to cloud storage and backup/cloud providers. The provider may or may not be compliant and a simple marketing message doesn’t make it so.
Making matters even more interesting, a provider may be perfectly compliant in terms of the business services they provide – but this is not the same level of compliance that their customer businesses are subject to. For example, HIPAA requires that organizations providing business services to regulated customers must qualify as a “business associate.” The provider is not subject to the same level of compliance and reporting that healthcare businesses (“covered entities“) are.
And this is a critical point for regulated businesses to remember: You are still responsible. It is not your providers’ automatic responsibility to make sure that your cloud storage is compliant. It is yours, and your responsibility to only work with providers who can provide the compliant services that you need.
Backup Vendor/Cloud Vendor
Compliance rules for cloud-based data differ according to backup/archived data or active data, such as SaaS. This article is concerned with the former: how to work with providers to prove compliance for stored backup and archives in the cloud. Returning to HIPAA as an example, its HITECH section defines technology, physical security, and secure administration rules for data storage.
Specific requirements include off-site backup security, compliant RTO and RPO, secure data centers, encryption, user access control, breach communication plans, and verifiable DR. Any cloud vendor claiming HIPAA compliance should be willing to sign a Business Associate Agreement (BAA) that officially certifies that they are compliant.
These are complex requirements. Ideally your cloud backup provider will be able to guide you through the process. Instead of merely looking for “compliant storage,” look for the following offerings from your backup/cloud provider:
· Recovery assurance. DR plans should offer automated testing and compliance reports to fulfill regulation-specific DR requirements. Look for vendors that can test not only for data recovery but for machine-level restores as well. A Disaster Recovery as a Service (DRaaS) offering may be able to offer failover in the cloud while restoring VM applications and data.
· Verify data retention. Sign data retention agreements created around compliance regulations and your business needs. Even if a given regulation does not spell out data retention periods, your cloud storage environment should be compliant with the meaning behind the regulations. For example, although SOX does not require specific retention periods it does expect that a company can immediately produce any data that impacts financial statements: not only accounting records but also documents like email and sales reports.
· Current with compliance. As a regulated company, it is your ultimate responsibility to stay current on changing regulations. Your backup provider/MSP should do the same. Many MSPs market compliant services but may not keep up with regulatory changes. Look for active involvement with regulatory bodies such as HIPAA, PCI DSS, SOX, GLBA, and any other set of regulations that affects your industry.
· Secure data center. Verify the cloud data center’s physical security. Ask for reports on yearly audits and compliant storage practices, and ask about security ratings like SSAE-16. Also ask about segmentation policies in multi-tenant environment including intrusion security and noisy neighbor management.
· Service level agreements. Assume nothing with your cloud provider; work out all service level agreements around RPO and RTO. Work to meet both your business needs and any regulatory requirements for data and application recovery.
· Digital security. Encryption and user access control are critical digital security measures. At-rest encryption is a common cloud provider offering; find out if your backup vendor also offers in-transit encryption. With access control, work closely with your provider to protect your data from intrusion – not only from the outside, but also from your staff and theirs. Verify that you can get regular access audits for compliance reporting purposes.
Data Protection Vendors Address HIPAA Cloud Compliance
Data protection vendors typically provide cloud storage options to their customers as a service to complement their existing hardware/software products. These specialized data protection clouds often offer a hands-off Disaster Recovery as a Service (DRaaS) option in addition to basic data archiving. It’s important to ensure that all facets of a vendor’s cloud offering that you’re utilizing maintain the proper regulatory compliance levels. A cloud may be HIPAA compliant for data storage, for instance, but not for DR.
Arcserve, as an add-on service offering to their Unified Data Protection appliance, has the Arcserve Cloud. Their cloud infrastructure consists of four SSAE-16 certified data centers that have been audited to ensure that they are HIPAA and PCI-DSS compliant. Data transfers to their data centers from customer sites occur over secure SSL connections and use AES-256 encryption for data at the source, in-flight and in the cloud. Users can manage their encryption keys from the console of their UDP appliance.
Arcserve has a DRaaS offering that will spin up a customer’s VMs in the cloud and give them access to both VMs and data via a secure VPN. Additionally, they can perform automated DR testing with RTO, RPO and SLA verification.
Datto is another data protection appliance provider that has a cloud offering, the Datto Cloud. They run two secure data centers, that are both SSAE-16/SOC-II certified. Their cloud offering is HIPAA compliant (they will sign BAAs to certify that fact) and has also just received PCI compliance certification. Datto uses AES-256 encryption and customers can optionally add another layer of encryption on top of the Datto data stream. To ensure that the DR process also maintains HIPAA compliance, Datto can spin up clients’ applications in a segregated area to isolate them from anyone else running in the cloud and also provide exclusive access to them via a secure connection.
They also have a feature called Screenshot Backup Verification, where they simulate a recovery operation, spinning up VMs from backups and verifying that they can be booted in a DR situation. They then take a screenshot of the completed boot process and email it, along with the results of the testing, to the user.
Unitrends is a long-time data protection vendor that has gotten into cloud storage and DRaaS in a big way, offering two flavors of their own branded cloud storage – the No Limits Cloud that dynamically scales to the size of the Unitrends appliance at your site and the Forever Cloud that uses a defined retention policy that maintains archival backups for an infinite number of years. With either cloud option, backups are automatically copied from your on-site Unitrends appliance to their cloud. DRaaS may be added to either the No Limits Cloud or the Forever Cloud.
Unitrends operates SSAE-16 certified data centers around the world and secures data by using configurable AES-256 encryption on data both at rest and in flight. They maintain compliance with HIPAA (and will sign BAAs), PCI-DSS, SOX, GLBA and FINRA.
When VMs are spun up in the Unitrends cloud for DR, Unitrends protects customer access through a secure VPN. The network and storage for that customer is completely segregated from the rest of the cloud tenants. Additionally, to guarantee that restored backups and DR workloads are going to run properly, a customer can add Unitrends’ ReliableDR offering to the mix to fully automate the testing and validation of workloads at the application level. ReliableDR recovers and tests backups in a sandbox area to verify that everything, even multiple VM applications, will work properly. It also produces a report that compares RTO/RPO/SLA goals to actuals to show that they’re being met.
Penalties for non-compliance with federal health and financial data protection regulations can be quite severe, while the laws themselves are complex, making compliance a challenge. Though there are clear advantages to securing data in the cloud, such as a pay-as-you-go business model, moving to the cloud adds another tier of complexity that you must take into account. Since you are ultimately responsible for ensuring that your clients’ data is adequately protected, you have to be quite clear about what your cloud provider brings to the table. Selecting a compliant cloud vendor with experience in helping entities conform to the appropriate regulatory regime is a good start in your journey to compliance.