Software and data security compliance responsibility in the cloud

Software and data security and regulatory compliance in the cloud should not be taken for granted because security in the cloud is often intangible and less visible, which may create anxiety about what data and software applications are actually secured and controlled.
By Goran Novkovic June 19, 2018

Despite what cloud service providers (CSPs) promise, software and data security and regulatory compliance in the cloud should not be taken for granted. Security in the cloud is often intangible and less visible, which may create anxiety about what data and software applications are actually secured and controlled.

This does not mean clouds in general are insecure, but that efforts required by manufacturing organizations to ensure that their security and regulatory compliance requirements are met will be comparatively greater than more mature, standardized computing models and approaches. Accordingly, the security challenges related to cloud computing should have a full attention from a number of different aspects.

In the current cloud computing landscape, there are a number of security and regulatory compliance challenges in adopting cloud computing models. Many of these challenges will be already known to manufacturing organizations with traditional outsourcing arrangements, but still likely to cause some fear with the adoption of the cloud computing.

Regulatory compliance, depending on the type of business processes that manufacturing organizations plan to run in the cloud, can be very important. Cloud service customers (CSCs) may be under statutory, regulatory or contractual obligations to ensure that data is held, processed and managed in a certain way. Every manufacturing organization wants to ensure that they are compliant with any type of specific laws and regulations.

CSPs always promise that cloud computing is secure and many security functions are available in the cloud so that manufacturing organizations can easily satisfy all their security and regulatory compliance goals. However, the idea that risk is outsourced to the CSP is wrong. Once again, where data and software applications are concerned, the responsibility for data security and regulatory compliance firmly resides with the manufacturing organization. These things must be clarified through policies and contracts between CSP and CSC that sets out security obligations and define the responsibilities of all parties involved in the cloud.

A service legal agreement (SLA) represents an agreement between the manufacturing organization as a CSC and CSP, as well as between the manufacturing organization and ISP. Courtesy: MESA International/Goran NovkovicContract examples

A good example is a service legal agreement (SLA), which represents a legally binding agreement between the manufacturing organization as CSC and CSP as well as between the manufacturing organization and internet service provider (ISP). So, we are looking into two different SLAs and they are both critically important for the manufacturing organization.

It may be an extraordinary CSP, but if their ISP does not provide reliable internet connection to the cloud, they might as well be out of business. They may also have a good internet service provided by ISP, but if there is something wrong with the resources in the cloud provided by the CSP, they could be out of business.

So, both CSP and ISP are equally important. All terms and conditions should be negotiated and defined in separate SLAs with CSP and ISP. In terms of cloud computing, the real catch here is that all major CSPs basically offer only one SLA that CSCs have to fit in. This is not bad news for manufacturing organizations that are responsible for software and data security and satisfying regulatory compliance requirements in the cloud since CSP provides directions related to a specific industry sector that your manufacturing organization is in.

Goran NovkovicMESA International. This article originally appeared on MESA International’s blog. MESA International is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See additional articles from the author linked below.