Within today’s modern data centre environments, there are a wide range of important compliance considerations to address. For example, if data centres store cardholder data on servers hosted within their premises, their customers are entitled to the protection provided by physical security controls and policies.
Under the various rules and regulations, operators must be able to appropriately protect their servers from unauthorised access and to mitigate the impact of any data breaches.
In a wider sense, all relevant frameworks, from PCI-DSS and SOC 2 to HIPAA have some element of physical security control requirements included in their governance rules. Indeed, each data centre operator must ensure they comply with all the relevant requirements from all of the frameworks, standards and regulations that their customers must adhere to.
So, where does this lead organisations running their own data centres, and particularly those operating a hybrid strategy where some of their capabilities are outsourced to third-party service providers? While organisations have complete control over their own data centre operators, total control of the cloud is impossible because each cloud provider offers a service based on a shared responsibility model. For example, providers control physical access to their infrastructure while each organisation controls user access to services, and between those two points who is responsible for what can become blurred.
In light of these issues, the extent to which data centre operators can fulfil their various requirements depends, to a large extent, on their level of compliance sophistication and maturity. Ideally, effective compliance strategies will strike a balance between trust-building and setting out a pathway towards building effective security and risk management programs.
Given the varied compliance requirements that data centres may be required to meet, the more advanced organisations can demonstrate an ability to go beyond what individual frameworks require. For example, instead of just engaging in manual exercises designed to meet point-in-time requirements for protecting data, mature organisations use continuous compliance – driven by automation – to deliver daily or even real-time insight into the compliance status of their facilities, technologies and processes wherever they reside.
Reactive or continuous?
But, how do these approaches differ from each other and why does it matter? Reactive strategies generally come from a place where compliance was viewed as a requirement. In this context, failure to meet the rules is met by the risk of tangible consequences and penalties.
In some organisations, this approach contributes towards their cybersecurity strategy – an issue of huge importance to data centre operators. The problem here is that while point-in-time compliance offers the foundation for cybersecurity, it ignores a critical component that is becoming increasingly crucial across today’s highly connected, real-time organisations: bridging the gap that exists between reactive, active and proactive compliance.
Continuous compliance, in contrast, directly addresses a world that increasingly relies on zero-trust security concepts. In the case of data centre operators, there is a growing need to provide constant vigilance and verification across key workloads and datasets, particularly those that serve highly regulated industry sectors. By using automation to remove human error, bias and the risks associated with ambiguity, organisations can generate evidence of compliance in real time. In doing so, they can minimise the risk of breaches and damaging cybersecurity incidents that are associated with point-in-time compliance processes.
Recent research from Drata into the state of businesses’ compliance maturity revealed the differing approach organisations take. When asked how often teams review the status of compliance controls, for instance, 40% said their approach was continuous (i.e., automated), while 55% carry out reviews at set intervals using manual processes.
The risks associated with reactive compliance are very real. The same study reported that 87% of respondents using a reactive compliance approach faced negative consequences as a result. In practical terms, over 40% said the most common impact of reactive compliance is that it slows down the sales cycle, while a similar figure reported that they faced a security breach as a result of blind spots created from their manual compliance efforts.
In contrast, achieving continuous compliance helps to mitigate many of these risks and can, in fact, even encourage business acceleration. However, it’s important to understand that relying solely on optimising processes and human resourcing levels is not enough to meet the requirements for continuous compliance. Technology plays a crucial role in scaling compliance capabilities, particularly through automation and is ultimately achieved by fully integrating people, processes and technology.
Without the ability to demonstrate continuous compliance, more organisations are likely to fall foul of the increasingly tough and complex regulatory environment. Building the capability into standard operating procedures, however, can help leadership teams embrace digital innovation with the confidence that they’re working in the interests of all stakeholders.
