How to maintain security and compliance when moving financial and health records to a new cloud environment

Regardless of industry, today’s organizations can’t help but be drawn to the cloud’s ability to lower capital expenditures. But compliance in the cloud is a whole different ball game and for financial firms and educational institutions with sensitive data like health records and credit card information, risking compliance and security in the name of a budget isn’t an option.

Yet when push comes to shove, many organizations are fixated on the money-saving opportunity and move their sensitive student and patient data to the cloud – overlooking compliance risks. The minute data leaves their facilities, IT loses any means of “touching” the data, making it incredibly challenging to maintain compliance.

Similar to large and medium-sized enterprises, financial firms and educational institutions house an immense amount of sensitive data. And naturally, these organizations have more rules and regulations to abide by when it comes to securing, storing and accessing such data. IT must be able to explain where the data is located, how it’s protected and who can access it in order to prove compliance.

Before moving educational and financial data to the cloud, educational and financial IT managers must check the following boxes to lay the foundation for a compliant transition:

Select a vendor that meets your specific regulation needs

Look for a vendor or cloud service provider (CSP) designed to meet the level of security and compliance specific to your organization’s industry. Financial institutions have more compliance regulations to uphold than the traditional educational institution. Specifically, financial firms need a vendor that is equipped to support the following requirements:

• PCI DSS (Payment Card Industry Data Security Standard)
• SOX (Sarbanes-Oxley Act)
• GLBA (Gramm-Leach-Bliley Act)
• PHIPA (Personal Health Information Protection Act)

Educational institutions like colleges and universities need a vendor that can similarly maintain compliance for the storing of a less robust level of payment information, with the addition of health record data. Look for a vendor that can meet both:

• PCI DSS and
• HIPAA (Health Insurance Portability and Accountability Act)
• PHIPA (Personal Health Information Protection Act)

Know where your data will live and who can access it

Part of proving compliance is being able to show where data is stored and who within the organization can access it. IT managers need to be able to report this information at any given time, which requires a higher level of control. Look for a solution that monitors who’s touching the data, gives IT managers control over who has access and can produce a history report in the case of a disaster. (Learn more about Leonovus solution)

Make sure data is fully encrypted before, after and during the migration process.

To stay compliant, sensitive data held by financial and educational institutions calls for the highest level of security. Look for a solution that will not only encrypt the data before migrating to the cloud but one that will keep it encrypted unless accessed by an authorized user. There can’t be any risk of ransomware tapping into the data at any point in the process. Storing data across many storage devices will make it harder for cybercriminals to put all the pieces together to gain the full original file. However, the more storage devices, the more monitoring, and management required. This shouldn’t be a deal breaker, you just need to make sure that level of control and accessibility is in place to ensure IT managers can keep all the organization’s data in line.  

Organizations shouldn’t have to choose between compliance and lowering capital expenditures. They can, and should, do both. Leonovus’ software-defined object storage solution (SDOSS) eliminates the fear of risking compliance when moving to the cloud. It gives financial and educational institutions the comfort of knowing exactly where their data is located within their respective hybrid, multi-cloud or on-premise environments. When this quality is paired with Leonovus’ unique erasure coding, over four levels of military encryption and reporting tools, IT departments can easily report on the security and access history of the data to regulating groups like the PCI Security Standards Council.