Compliance Challenges for Universities in the Cloud

Blog image_6-10

Like most other organizations, universities can benefit greatly from taking advantage of cloud computing: the greater flexibility, agility, efficiency and cost savings offered by cloud can be a tremendous boon to universities everywhere.

Greater data variety, greater compliance challenges

However, universities also face a unique set of regulatory challenges that are wholly unlike those faced by other organizations. Since universities simultaneously find themselves trusted with a wide variety of sensitive information, including student health records, financial information, and more, they have far more to worry about from a compliance perspective than other organizations.

While most organizations are only beholden to a single set of industry-specific regulations, the unique nature of universities ensures that they have to worry about healthcare regulations, financial regulations, and export regulations, just to name a few.

Ensuring regulatory compliance with traditional on-campus computing systems can be quite a challenge, but adding a cloud data center to the equation only serves to make things even more complicated, since you’re depending on a third party to protect your sensitive data. While universities may choose to depend on these data centers to keep their data safe from malicious attack, the universities themselves are still going to be the ones that bear final accountability for the safety of their data, and this means that they need to be able to properly vet cloud service providers in order to make sure they are taking the proper precautions with the sensitive data that is entrusted to them.

Visibility and control: the two keys to cloud compliance

Universities that find themselves subject to compliance audits must be able to tell the auditors who had access to their sensitive data at all times; for this reason, the two most important concepts to think about when it comes to ensuring compliance in the cloud are transparency into data and control over data. If a cloud service provider can provide you transparency into who has accessed your data, when they accessed it, and for what reason, this can go a significant way in helping you demonstrate compliance should you find your university in an audit situation.

In addition, control is important because it allows universities to feel confident about their data even on the occasions when they aren’t able to pay attention to exactly who’s been accessing it. Most cloud computing arrangements today require customers to give up some measure of transparency and control to the cloud service provider. Unfortunately, this is part of the tradeoff involved with gaining the benefits of cloud. However, that does not mean that customers shouldn’t be able to demand a little bit of both from their cloud service providers. Indeed, their regulatory future depends on them doing so.

Cloud computing can provide a variety of benefits for institutions of higher learning, helping them stretch their IT budgets. It can also create better experiences for students and faculty, by allowing them on-demand access to file storage, email, and other university applications no matter where they are on campus. However, this does not mean that universities should enter into a cloud data storage arrangement without doing the proper legwork first.

What to look for in a cloud provider

Any cloud data center that you choose to work with will have tremendous power over your data, and it’s important to think about what compliance implications this might end up causing for you. It’s not enough to hope that your cloud service provider will take the appropriate precautions to keep your sensitive data safe; you have to be able to find a provider who understands exactly how they are going to protect your data.

The first thing to consider when vetting a cloud service provider is location. It’s a common misconception that data on the cloud doesn’t exist in any physical location. In reality, if your cloud service provider is located in more than one country, your data would be crossing the borders between those companies, according to current interpretations of the compliance regulations. This can be an especially big concern for universities who handle sensitive government data, as involvement with a cloud services provider that crosses borders could be enough to throw compliance into question.

In addition, it’s also important that you identify what information you have that would require a third-party cloud service provider to offer special security in order to ensure compliance. If you want to hold your vendors to a high standard for security, your first step is to know what data you have that needs to be protected.

Once you do this, you can approach cloud vendors to see what security controls they provide for sensitive data, and how they provide visibility to help with the audit process. Just like any other vendor vetting process, it’s also a good idea to ask cloud vendors for references of other universities they have worked with before. This will help demonstrate that they understand the special compliance burden universities have.

The final word

Failing to comply with regulations for sensitive data security can have a variety of negative consequences for universities, including fines and serious damage to reputation. If universities are going to continue their mission of educating students and contributing to research in the era of the cloud, they must be ready to take steps to ensure compliance first.

Caronet is a provider of managed cloud and cloud hosting services. Our cloud services are secure by design, giving you the peace of mind that comes from knowing your data is completely safe. Contact us today to learn more.

Share this Blog Post
Share on Facebook0Share on Google+0Share on LinkedIn2Tweet about this on Twitter0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>