Organizations face a multitude of concerns over their data, something that is central to their business processes. They want to know where their data is stored, who can access it, and when and by whom changes have been made. Additionally, different types of data require different levels of confidentiality—some are ultra confidential, while others can be seen by everyone.
The growing complexity of regulations demands that organizations address these challenges. That’s because these regulations about data privacy and security differ based on the organization’s type, their objectives and size. Some are sector-specific, while others are dependent on the country. For example, two important recent European regulations are NIS2 (Enhancing the security of Network and Information Systems ) for essential and important entities, and DORA (Digital Operational Resilience Act) for financial entities such as banks, insurance companies, and investment firms.
Trying to tackle these concerns leads organizations straight into a complex regulatory landscape. That’s because these regulations about data privacy and security differ based on the organization’s type, objectives, industry vertical and size. Some are sector-specific, while others are dependent on the country. For example, two important recent European regulations are NIS2 (Enhancing the security of Network and Information Systems) for essential and important entities, and DORA (Digital Operational Resilience Act) for financial entities such as banks, insurance companies, and investment firms.
Achieving and maintaining compliance in an ever-evolving regulatory landscape can be a tall order. Additionally, organizations have to prove to the regulatory body that they’re compliant. This means that organizations using cloud services need to get proof from their cloud provider that the relevant regulations are being respected. In other words, they need a compliant cloud. This also includes concepts as sovereignty, which is often viewed as a cloud environment physically located within a specific country or region to comply with local regulations. Today there's no official checklist or stamp of approval nor a formal audit or certification which could certify to the end user that he is dealing with a sovereign cloud concept. It therefore becomes more a “marketing idea” that varies from one organisation to another.
Achieving peace of mind with Compliant Cloud
"Cegeka's Compliant Cloud provides customers with the necessary guidance to navigate regulatory requirements effectively." It is all about our adaptability to meet customer requirements. deploying different landing zones. We provide these assurances in our own private data centers, on Microsoft Azure, as well as on our customer’s private infrastructure. We carefully assist in categorizing data based on a customer’s specific requirements such as where data is stored or processed. We also assist in providing the necessary transparency to maintain compliance throughout the entire operation.
To support this compliance, Cegeka has developed a control framework of both process and product controls. This Multi Compliance Framework is based on the international standards ISO 9001, ISO 27001, ISO 27002, ISO 14001, Uptime Tier III, ISAE 3000 Trust Services Criteria (TCS), and GDPR. Our control framework already includes over 140 controls, covering regulations like NIS2, DORA, and we’re continually adding more. Additionally, our roadmap already takes into account compliance with C5 and upcoming regulations like the EU AI Act and the EUCS scheme for cloud services.
When a customer needs cloud services compliant with a specific regulation, we assist in ensuring that the services utilized on our cloud platforms adhere to compliance checks within our control framework. We’re routinely audited by a third party, and the certificates and assurance reports are available to our customers. Each year, audited customers receive an ISAE 3000 (SOC2) Type II assurance report. They can present this to their regulator as evidence that their data and the services provided in the cloud are treated in compliance with the relevant regulations. Of course, in addition to the assurances we provide on the cloud services they use, customers still have to carry out their own risk analysis and assume their responsibilities concerning the regulation.
Enhancing transparency through observability
Within our digital customer engagement platform, Horizon, we are planning to build multiple dashboards that provide customers and their regulators real-time visibility into their security posture and compliancy by displaying the status of each control of our Multi Compliance Framework. This enhances transparency, offering real-time visibility to our customers that our cloud platforms and services maintains compliance. We use our Horizon platform to bring clarity to this hyperconnected and regulated world.
Evidence can be obtained through an automated process or by a manual intervention, depending on the use case of the control. Examples of automated processes are executing backups according to the backup plan, triggering an incident when a backup is unsuccessful, or swiftly deleting a co-worker user account from both the customer's Active Directory and the public cloud. Auditing manual processes, which are equally critical, depend on the skills and expertise of certified specialists. This includes tasks like annually reviewing the backup plan or disaster recovery plan, as well as executing the disaster recovery process on an annual basis.
Observability is something we provide beyond the infrastructure level. In our development roadmap, we prioritize Observability as a vital domain for skill enhancement. We use various technologies that suit the specific needs and architectures of our customers. This complete approach aims to improve all aspects of the development process, covering everything from infrastructure management to application development, ensuring a thorough and effective end-to-end chain. Thanks to Cegeka’s acquisition of Key-Performance, a Dynatrace partner, our observability extends beyond standard metrics such as system uptime, performance, and response times. In doing so, observability in combination with our advanced cyber security solutions, helps detect and prevent any unauthorized or malicious access, from infrastructure to the application and the data, as well as any errors or anomalies that may compromise the data quality or integrity.
Strengthen business resilience
We are staunch advocates for a multi-cloud environment. Regardless of your current cloud platform, you should have the capability to swiftly move your applications and data to another platform when required, for example for geopolitical reasons or to benefit from (additional) features in a certain cloud model. Regulatory bodies increasingly demand concrete evidence of exit strategies within cloud environments, alongside demonstrations of adeptness in circumventing vendor lock-in to mitigate business dependencies. These imperatives are essential for fostering business resilience, particularly in navigating complex regulated landscapes.
As an example, with KubePort, Cegeka’s cloud-native managed container platform, we lay the groundwork for this exit strategy. KubePort is cloud-agnostic, giving you a choice between Cegeka’s on-premises infrastructure (private cloud) or public cloud infrastructure from Microsoft Azure. The end result is that customers can keep their business operational whatever challenges they face. Compliant Cloud not only helps in achieving compliance and security but also strengthens business resilience.
Are you keen to learn more about Compliant Cloud? Contact Gaetan Willems, Global Director Hybrid Cloud at Cegeka.