Navigating Cloud Compliance: Fairing Well in a Sea of Change

August 5th, 2014   /     /   company news, security and compliance

Blog Compliance

It’s been a little over six months since I started my voyage as OneLogin’s Director of Risk & Compliance and the experience to date has been even more rewarding than I expected, in no small part because I’ve been able to continue to guide clients through the maze that is regulatory compliance. In my previous positions at PwC and Grant Thornton, I worked directly with clients on various aspects of compliance, and I loved the challenge of managing complex processes and tailoring the approach per client.

The very nature of the OneLogin service, indeed of any cloud service provider involved with the management and protection of client data, means that we need to be directly engaged with clients’ risk management and information security strategies, all of which bundles up under compliance.

OneLogin’s Collaborative Compliance Roadmap, Flexible Data Residency Options, and SOX and HIPAA Support

There are several ways in which OneLogin supports customer compliance requirements as part of our service delivery

We stay on top of compliance requirements in our space, and by extension, our customers’ space. I’ll often find myself walking prospects or customers through our compliance roadmap strategy, which in turn often involves overlaying our roadmap onto those companies’ own compliance roadmaps; this can lead to some interesting discussions around different strategies for addressing compliance challenges.

We design future-proofing into our solutions as much as we realistically can. Safe Harbor may or may not go away, but the ripple effects from the Snowden affair will affect global attitudes to data protection for years to come. An EU data residency option is built into our solution today to help our EU-based customers meet their compliance requirements, and we’re looking into expanding that option into other geographies too.

OneLogin is an integral part of our customers’ authentication and access management controls, which can impact how those companies handle compliance with standards such as SOX and HIPAA, so we need to be engaged with that process on an ongoing basis.

OneLogin Compliance Commitments: Trust Services Principles, ISO 27001, G-Cloud, CSA STAR, FedRAMP, and Beyond…

As an integral part of our customers’ authentication and access management strategy, we need to be able to commit to the security, availability, confidentiality, and privacy of their data, and to honor those commitments. That’s why an aggressive compliance roadmap was at the top of my to-do list when I first came on board.

Earlier this year, I wrote about changes coming before the end of the year to two key frameworks for cloud service providers, Trust Services Principles and ISO 27001. With that in mind, we aligned our internal capabilities to be able to effectively support those of our customers who are required to be SOX compliant (more on that in my next post), and are currently in the process of an ISO 27001 audit, which will lead to certification under the updated standard in the coming months.

These efforts serve as the foundation for our current work on G-Cloud, CSA STAR, and FedRAMP compliance; the end result will be a robust control environment that helps us meet the security, availability, confidentiality, and privacy commitments we make to our customers in support of their compliance and risk management objectives.

Some Things Never Change – Compliance Requirements Are Always Subject to Change

Our compliance roadmap can never be set in stone. We have to keep monitoring changes in regulations, especially EU privacy changes, so we can react in a timely manner and navigate any new requirements our customers will have to meet. For example, even for initiatives that we have been planning for months, modifications currently underway for the G-Cloud accreditation program and revised control requirements for FedRAMP sent us back to the drawing board.

Fortunately for all concerned, most changes in compliance regulations are signalled way in advance of their requirement dates, so we are able to be ready in good time to support our customers through these changes. Highly regulated areas like SOX and HIPAA have the highest visibility when it comes to change, so it’s hard to be surprised by these.

Even though OneLogin is itself not subject to SOX or HIPAA compliance regulations, it is incumbent upon us to secure our environment and prove our compliance with these and other relevant standards in order to effectively support our customers. Next time, I’ll explain in more detail how we help with the choppy seas of SOX compliance.

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos