Google recently announced new and improved Cloud platform offerings. For businesses regulated by the Health Insurance Portability and Accountability Act ("HIPAA") or Gramm Leach Bliley Acts ("GLBA"), moving data to the Cloud is not something to be taken lightly. HIPAA and GLBA place a heavy emphasis on the protection of sensitive customer or patient information.
In reviewing Google's white paper detailing the security of the offering, it was interesting to note the following language:
In addition to a full-time information security team, Google also maintains several functions focused on complying with statutory and regulatory compliance worldwide. Google has a Global Compliance function that is responsible for legal and regulatory compliance as well as a Global Internal Audit function responsible for reviewing and auditing adherence to said compliance requirements, such as Sarbanes-Oxley and Payment Card Industry standards (PCI).
The paper went on to discuss various aspects of the platform's security controls and incident response. It would appear as though the addition of this language is attempting to address concerns that highly regulated industries may have. Given the amount of competition in this space, it will be interesting to see whether other Cloud providers use compliance and control initiatives within their product offers to gain a competitive advantage rather than simply focusing on cost. Regardless of which Cloud provider is chosen, the language in the actual terms and conditions of a Cloud services engagement require heavy scrutiny to ensure the appropriate level of diligence has been achieved.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
