The regulatory landscape is constantly evolving, with an ever-increasing number of laws and statutes worldwide mandating information security and data protection requirements. Along with more established regulations and standards, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), U.S. Gramm–Leach–Bliley Act (GLBA), SWIFT data protection policies, Payment Card Industry Data Security Standard (PCI-DSS), and Canada Personal Information Protection and Electronic Documents Act (PIPEDA), recent laws and regulations have garnered much attention, including the European Union’s (EU) General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive (EU 2016/1148), both of which became enforceable in 2018.
These new laws, among others, have important implications for organizations operating in the cloud. Compliance requirements are typically based on information security best practices, but it’s important to remember that security and compliance aren’t the same thing. The GDPR applies to entities that control or process personal data on individuals located in the EU. Personal data is defined in the law quite broadly as any information relating to an individual that is identified or identifiable.
It’s important to understand your personal data-impacting business processes and the information life cycle collection, processing, storage and transfer associated with these processes. Once understood, these business processes will need to be risk assessed and a set of remediation actions defined where compliance gaps are uncovered. Compliance regulations allow organizations to implement policies preventing company data from being shared to unauthorized personnel.
Microsoft recently implement a new strategy called “compliance and conditional access” a device compliance state in the Azure AD conditional access policies. These policies necessitate mobile devices to be compliant with organization standards defined in Microsoft Intune before accessing network resources, such as Office 365 applications and business-related email and other correspondence. You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.