It’s hard enough just to secure data and comply with legal requirements in your own infrastructure. It’s even harder to secure data when the data is secured in the cloud – also known as Software as a Service (SaaS). SaaS is continuing to grow and will soon exceed on-location infrastructure if it hasn’t already. In SaaS, a third party hosts the company software and data and also manages the infrastructure needs. Companies usually install software that can access the third party host (usually a data center) through the Internet.
Compliance and SaaS
Some of the common compliance laws the companies need to meet depending on the services or products that they provide are:
- Sarbanes-Oxley (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- The Payment Card Industry Data Security Standard (PCI DSS)
There are other federal and state laws that companies who are subject to the rules must meet.
Key SaaS compliance questions
Some of the compliance issues the SaaS provider must address are:
- What laws apply to the data center?
- What conditions apply to each law?
- Who has access or who might have access to the data in the cloud?
- How is the data being stored on the SaaS provider’s infrastructure?
- What steps is the SaaS provider taking to prevent data breaches and exposure of the data?
- How can the data be accessed?
- What authentication controls such as logins and passwords are in place, who creates them, and who has access to them? Are the credentials of workers who leave the company deleted?
- Some compliance laws require extensive audit trails. Can these trails be used by both external sources, such as the SaaS provider and your company? Determining access to the audit trails may need to be negotiated.
SaaS providers should be asked what security measures they are taking to prevent breaches and what plans they have in place if a breach occurs, such as restoring data and notifying clients and customers.
If the SaaS provider uses servers or other tools that are in non- U.S. locations, then the SaaS provider will likely have to comply with the laws of those other countries.
Learn all you need to know about cloud service providers and compliance requirements
While it’s more certain that compliance is being met if the infrastructure is kept in a local network, there are many advantages to using the cloud. Companies should review their compliance and security requirements with their cloud service provider. For help now, contact us and speak with one of our knowledgeable representatives.