You are probably using a hybrid cloud. Even for the smallest companies, the litmus test is pretty simple: do you keep some data on a shared drive that's exclusive to your company, and other data on an online cloud storage platform like Dropbox? If so, then congratulations, you're a hybrid cloud user.
The hybrid cloud is essentially default for most organizations. 67% of companies use the hybrid cloud, and most of the remainder are public-cloud only. More complicated hybrid cloud implementations utilize the system in a flexible manner in order to save space and improve agility. While this system has obvious performance advantages, how will companies navigate the compliance implications?
Why Hybrid Cloud Storage Presents a Challenge for Regulatory Compliance
Regulatory compliance demands that certain information, such as PHI and PII, be kept in protected storage. Administrators must keep track of everyone who accesses this data, and when. It must be kept encrypted when not in use. Most importantly, best practice says that this data should stay in the same place at all costs. In other words, sensitive data must be protected in a way that's antithetical to the hybrid cloud.
One of the most popular ways to utilize the hybrid cloud in 2017 is a technique known as cloud bursting. As companies need to perform analytics on larger and larger datasets, they constantly run the risk of exhausting their local resources. Cloud bursting relieves this pressure by offloading files and resources to the cloud on an automatic basis. It's the kind of procedure that one might expect to be hamstrung by strict compliance, but fortunately there are workarounds.
Dual Responsibility for Cloud Providers and Customers
First of all, both the Department of Health and Human Services Office of Civil Rights (responsible for overseeing HIPAA compliance) and the Payment Card Industry Security Standards Council (responsible for PCI-DSS compliance) have both put out new rules as of 2013. These rules are to the effect that if a public cloud provider is harboring PII or PHI, they're just as responsible for protecting it as you are—even if they never see this information or take ownership of it.
This is very good for businesses with hybrid cloud storage implementations. While not all businesses are subject to the requirements of HIPAA or PCI, these rules give customers some leeway against disaster. As long as you're responsible about the data you put in the cloud, you don't have to spend as much time vetting your cloud service providers to ensure that they run a maximum-security operation. Of course, being responsible about what you put in the cloud still entails a great deal of work—unless you work with Safe-T.
Safe-T Lets You Be Responsible About What You Put in the Cloud
With Safe-T, you can tag your most sensitive files in order to ensure that they never get uploaded to the cloud under any circumstances. Our secure data exchange technology intercepts every medium of exchange between your private cloud and the public cloud outside. It lets innocuous files through easily, but can detect and block file exchanges that involve sensitive information. This prevents sensitive files from leaking, both through automatic cloud bursting processes, or from employee negligence. For more information, check out this guide to secure data exchange through cloud platforms.