An organization wants to use a public cloud provider for IaaS instances. They will develop and deploy their own applications within these instances. The organization must follow health care compliance regulations.
What should the organization ensure before deploying their applications in the public cloud?
A . Instances will not be placed in more than one availability zone
B . Auditors have access to the cloud provider’s data encryption keys
C . Cloud provider supplies data-in-transit encryption capabilities
D . Cloud provider supplies proper controls and audits for compliance requirements
Answer: C
Explanation:
HIPAA is the U.S. law that regulates an individual’s healthcare information.
HIPAA has two rules that we should focus on:
• Privacy rule C requires that data is kept encrypted when in transit and at rest.
• Security rule C requires that stringent controls are in place for access to data. It requires logging for audits (for example, who accesses what data and why). Additionally, backups require controls on the backup mediums and restoral procedures. Some cloud service providers have business associate agreements available with details on their websites.