Organizations that are serious about scaling up operations in the cloud need to ensure their cloud workloads can meet industry security requirements and regulations. This is especially true today as millions of workers continue ditching the cubicles and water coolers for their own improvised, home office arrangements.
For many companies, this accelerated digital transformation has complicated efforts to achieve and maintain cloud security compliance. While the pandemic spurred many organizations to adopt cloud and downsize on-premise infrastructure, it also left less-experienced cloud customers at increased risk of fielding misconfigurations or out-of-date components with vulnerable APIs.
In a 2022 survey by CyberRisk Alliance, just 55% percent of cybersecurity professionals said their organization conducts configuration or compliance vulnerability scans. In the latest data compiled by Verizon, only 28% of surveyed organizations were able to achieve and maintain 100% compliance with PCI DSS, the set of standards governing how organizations secure credit card-based payments. Meanwhile, the Cloud Security Alliance has found that 81% of security professionals are “moderately” to “highly concerned” with risks introduced by third party suppliers operating outside the scope of compliance.
Given these developments, there’s a compelling case for why organizations need to take compliance seriously when moving to the cloud. Properly implemented and enforced, these frameworks can help organizations scale up cloud usage without increasing risk or compromising sensitive data in the process. Conversely, the consequences are steep for those who fail to comply — higher risk of data breaches, extremely heavy financial penalties, loss of consumer trust and severe damage to a company’s reputation, to name just a few of the costs.
That’s why, at the very minimum, organizations should exercise all due diligence in understanding how the most common security policies and frameworks will affect their cloud-based operations.
Common compliance laws and security frameworks
HIPAA: The Department of Health and Human Services have updated HIPAA for the cloud age, ensuring that HIPAA-regulated cloud service providers and customers (or ‘covered entities’) understand their responsibilities when they create, receive, maintain or transmit electronic health data of customers using cloud services. These include maintaining confidentiality, integrity and availability of all electronic personal health data, identifying anticipated security threats, protecting against impermissible use or disclosure of data and ensuring compliance by the workforce and business associates.
GDPR: The General Data Protection Regulation specifies how companies can engage with personal data of European Union residents. Under GDPR law, organizations must receive customer consent to collect personal data, can only collect data that is clearly merited from a business point of need, and must respect the customer’s right to have data erased or forgotten if so desired, or to notify customers in the event their data has been compromised. All of these restrictions apply equally to the cloud, and therefore it’s vital for an organization to work with a cloud service provider that can formalize these disciplines in the cloud service agreement.
CCPA: Under this act, California residents are entitled to see all data that a company has on record for them, which includes consumer data that the company has shared with third parties at any point in the past. Considered the U.S.’s own version of GDPR, the law is expected to be updated by the broader California Privacy Right Act beginning January 1, 2023.
FedRAMP: All cloud services used by federal agencies and cloud service contractors must be FedRAMP-compliant. FedRAMP plays a valuable role by ensuring consistency and confidence in the security of cloud solutions using government-defined standards, transparency between US government and cloud providers, automation and near real time continuous monitoring, and adoption of secure cloud solutions through reuse of assessments and authorizations.
PCI DSS: The Payment Card Industry Data Security Standard pertains to any business that deals with the processing, storage or transmission of credit card information, and is designed to protect card data that is stored both electronically and in paper records. Under PCI DSS, organizations are required to build a secure network, implement certain access controls for cardholder data, and maintain a regularly tested security system and vulnerability management program. The PCI Security Standards Council provides guidelines for companies seeking cloud compliance with PCI DSS.
Focus for implementing and managing key controls
Caption: Companies assume ownership when it comes to demonstrating compliance of cloud applications. But what does that ownership entail? (Image Credit: Cloud Security Alliance)
Even though cloud service agreements operate under a shared model of responsibility, it is the cloud customer who is responsible for faithfully maintaining compliance. This means that customers can reconfigure security controls to fit their needs, but they can’t point the fingers at others when misconfigurations or vulnerabilities crop up as a result of these changes.
Fortunately, a wealth of resources are available for helping companies manage and implement smart security controls to maintain cloud compliance. Below are a few steps organizations can take to bolster cloud security while reducing the risk of violating known requirements.
Getting governance right is crucial. Companies can work with cloud providers to adapt their governance policies for the cloud, such as taking stock of cloud assets, identifying configuration requirements, defining responsibilities and ownership, as well as determining resource allocation and financial controls that are necessary to maintain compliance. Major cloud providers like Google, Amazon, and Microsoft have even provided resources to help companies tailor governance policies to facilitate cloud compliance.
#2: Change control
Manual remediation and manual updates are not sustainable when it comes to staying on top of changing rules and regulations. Organizations should consider introducing compliance automation, which is a method of conducting regular checks to ensure that cloud configurations are up-to-date and aligned with the latest regulations. Infrastructure-as-code tools are gaining popularity for this reason, as they enable DevSec teams to identify misconfigurations before the infrastructure is even provisioned. The automation improves consistency in configuration and gives devs the ability to version code so they can pinpoint when and why alterations were made to code.
#3: Continuous monitoring and reportingWith so many rules and regulations to satisfy, organizations must stay vigilant to the compliance landscape. Advanced cloud security posture management solutions, like Qualys’s CloudView for example, offer dedicated support for navigating the most common compliance mandates (such as PCI DSS, HIPAA, NIST CSF, and GDPR). By extracting compliance data and factoring in CIS Benchmarks across the major cloud providers, tools like CloudView can generate dashboard reports that inform companies of irregularities or potential misconfigurations.