BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
Data breaches are happening at a record pace. Last year alone, there were more than 551 organizations that were affected by data breaches, with more than 1.9 billion files leaked, according to research by Citrix ShareFile. And that number may be significantly underreported.
Because data breaches are becoming more and more prevalent, compliance regulations for data have tightened across all industries, and rightfully so. Making sure your business’s data is compliant is becoming more and more important every day.
Compliance regulators audit organizations’ data to ensure they meet protection standards, so it is important for businesses to know which compliance standards apply to them and what they need to do to meet these regulations.
One way to help your business stay compliant is entering into an agreement with a data-hosting provider to receive compliance as a service. Compliance is a big issue and covers almost all industries and businesses, so this blog will hopefully give you some basics of compliance as a service and give you the tools to make the right decision.
Why compliance as a service?
Let’s back up a bit and dive deeper into what compliance as a service is.
When a business stores data with a third party, whether that be with a cloud provider, co-location in a data center or somewhere in between, that provider may offer a service to cover some of the requirements mandated by compliance regulators.
It depends on the service provider and what type of service you have, but this could mean data encryption, disaster recovery, physical barriers and many other options.
That doesn’t mean the responsibility of compliance is completely off a business’s shoulders.
A big part of having compliance as a service is risk transference. The Health Insurance Portability and Accountability Act, commonly referred to as HIPPA, for example, requires a business to sign a business associate agreement with any service providers storing its data. What that does is it takes some of the risk off the business’s shoulders and puts it on the provider.
If there’s a breach, both the business and provider are at risk, rather than the business alone.
Having compliance as a service is also like having an easy button for your business. It gets you farther down the road of being compliant. The business is responsible for some, and the provider takes care of the rest. It’s important to note that compliance as a service does not automatically make you compliant. There are still things you need to do on your end to ensure 100 percent compliance.
Knowing where that line of responsibility falls is crucial.
Where the line of responsibility falls
As you consider compliance as a service, it will be important to know how much responsibility is on your data-hosting provider and how much is on your business.
The easy answer is it depends. It depends on the number and the level of services prescribed to your provider.
For example, if you co-locate your equipment in a provider’s data center, the provider will handle all the security of the physical equipment. Most likely these would be physical barriers that safeguard from an intruder physically breaching your data, like locked entries or sign-in authorization.
Since the servers are owned by the business, it’s on the business to protect them beyond that.
Another example is an email platform. Providers can ensure compliance all the way up through the platform itself, but they can’t help with compliance of the individual end user. It falls on the business to ensure its employees are using email within compliance regulations.
As we’ll talk about in the next section, always ask questions of your provider to know exactly what you need to do on your end to remain compliant.
Don’t be afraid to ask questions
Compliance as a service has many different types of variations and, depending on the provider, tiers.
Because compliance as a service has so many differences and variations, you as a business owner should come armed with questions for whatever provider you consider. While you should be intimately familiar with what compliance regulations you fall under, asking basic questions can help you become more familiar with different compliance services providers can offer.
Here are some basic things you should ask or do when you meet with potential providers:
- Ask for a tour of the physical data center and see where your data will be stored. Big providers may not be able to do this because your data may be scattered across many different locations, but regional and local providers should give you an idea of where your data will be stored and how it will be physically protected.
- Specifically ask where your provider’s responsibility ends and where the onus falls on you. This way you’ll know exactly what you and your provider will be in charge of.
- General questions like “What controls do you have in place?” or “What are your password policies?” are important. These are basic safeguards that are essential to remain compliant. Generally, providers like LightEdge will have certification reports that will help answer these basic questions.
Compliance as a service can be a great way to get your business well down the road to being compliant, but make sure you are aware of your provider’s services and what you need to do to ensure your data is protected and compliant.