Cloud storage is fast, convenient, and often cheap — but is it compliant? If you provide cloud storage to your customers as an MSP, they’re going to want to know the answer. Under HIPAA, PCI-DSS, and the upcoming GDPR, your customers need to know a great deal of information about any cloud storage provider they engage with. If you can’t answer those questions — or if you give the wrong answers — then prepare for problems.
There is a rule of thumb to securing customer data in the cloud. In general, it should be kept encrypted, and sent only over encrypted connections. There should be an auditable record of whoever accesses the data, and there should be reasonable protections around it — network segmentation, firewalls, SIEM tools, and so on.
Theses commonsense protections are at the core of every compliance regime, but specific guidelines will inevitably vary. Here’s a brief guide to understanding how to secure the cloud storage you provide to your customers under a variety of different compliance regimes.
Ensuring Your Cloud Storage Is Compliant — HIPAA
Anyone who provides cloud storage to an entity governed by HIPAA is also governed by HIPAA. That means that if your client is a hospital, insurance company, or other healthcare-related business (“Covered Entities” as defined by the HIPAA Omnibus), you need to start a HIPAA checklist. In addition, if you provide services via a subcontractor, that subcontractor is also bound under HIPAA rules. Briefly, this means that:
You and any of your subcontractors that hold a client’s PHI must execute a Business Associate Agreement (BAA) with the covered entity you’re working with.
You and your subcontractors should take deliberate steps to minimize your ability to view a client’s PHI. The less you touch PHI, the smaller your potential liability.
Check your legal obligations. Under the HIPAA Omnibus, even the smallest data breach needs to be reported, with very few exceptions.
PCI Compliance for MSPs
Under PCI-DSS, an MSP is both a “Merchant” (any entity that accepts credits cards from the five major vendors), and a “Service Provider” (any entity that handles credit card data on behalf of another entity.) In others words, service providers will fall under both categories if a customer pays them, by credit card, to store other credit card data in the cloud.
When acting as both merchants and service providers, MSPs are essentially undergoing double the risk. They’re responsible for protecting their own data, and they share equal responsibility for protecting their clients’ cardholder data. Penalties for lapsing in this responsibility are harsh. Credit card companies might start charging higher transaction fees when processing payments, or your bank might start to fine you up to $100,000 a month depending on the amount of cardholder data you hold.
Fortunately, protecting this data doesn’t need to be an onerous responsibility. PCI-DSS audits only cover those network segments which actually contain cardholder data — not your entire network. It’s a lot easier to defend a smaller network segment than it is your entire network. As long as you follow best practices while defending these segments, you’re probably safe from fines.
GDPR and DFS Cybersecurity Regulation — Potential Compliance Pitfalls
Two cybersecurity regimes — one recent, one upcoming — might give MSPs some pause. While both are region-specific, they also potentially apply to managed services providers, depending on who their clients are and where they’re located.
The General Data Protection Regulation (GDPR) is set to take effect in May of 2018. This regulation has the force of law within the European Union, and covers all companies that do business involving data from EU citizens. If one of your clients is European, then the GDPR applies to your organization.
New York’s Department of Financial Services (DFS) has, as of August 28th, enacted parts of a sweeping cybersecurity regulation designed to enforce best practices in the state’s financial institutions. Like the GDPR, you may not be directly covered by the DFS regulations, but if you do business with a company that is, you will have partial responsibility for data protection.
Unlike HIPAA and PCI-DSS, the GDPR and the DFS cybersecurity regulations were designed well after the MSP business model came about. In other words, this legislation was designed by people who are cognizant of the realities of cloud storage, remote management, and other ways of doing business on the internet.
This means that MSPs, if they don’t currently have a strong cybersecurity initiative, must quickly pursue and acquire the tools to become compliant. On the other hand, however, companies that do have cybersecurity in place will be able to offer this as an additional selling point for their customers.
You may also be interested in:
With Actifile, Make Security Your Selling Point
As an MSP, you’re in a unique position to help your clients observe and improve their defenses. You understand how they want to protect their files, and if you understand compliance, you can tell them if they’re going in the right direction.
Actifile lets MSPs adopt advanced compliance tools and sell them on to their customers. Offering your clients a tool that can detect and mitigate data leakage helps ensure that they’re more compliant. In other words, you’ll be able to charge them money to adopt a service that will protect you from being fined.
Newer compliance regimes now ensure that MSPs share equal responsibility for data protection with their clients. Actifile gives you the tools to ensure both you and your clients secure their data in the most compliant manner possible.