Compliance Conundrum in the Cloud
In the race to the cloud, I’ve noticed a disturbing trend. Daily, I speak to organizations that have moved production workloads over to cloud IaaS providers but haven’t yet addressed how they will manage, measure and report on regulatory compliance controls. [1] Amid all the concerns over whether public clouds are secure, some organizations missed a critical question: Can we demonstrate compliance without overworking our teams in the process?
It’s not surprising that it has taken an impending PCI or SOC 2 audit for SecOps and risk and compliance teams to have a reckoning about how they will measure the compliance of their cloud infrastructure. [1] Never have so many people in an organization had the power to make changes to the infrastructure that could potentially go unchecked. To further complicate matters, traditional tools that help with compliance in the data center cannot be used in the API-centric world of the cloud. [1]
Without tools designed for the cloud, teams are forced to navigate tedious, manual processes to produce evidence of technical compliance controls across the dynamic and fast-changing cloud infrastructure. [1] Sure, you can prove that at some point you passed the controls, but what was the situation 24 hours before or two weeks after? Point-in-time compliance just doesn’t cut it anymore. With stories of cyber risk, cybercrime, hackers and breaches topping our news feeds each day, organizations need to be able to demonstrate an ongoing practice of managing security. [1]
Continuous Security and Compliance in the Cloud
Just as DevOps teams have adopted “continuous delivery” and “continuous innovation” and made them a part of the everyday IT language, “continuous security” and “continuous compliance” need to be just as frequent discussion topics. [1] The good news is, unlike managing compliance in traditional data centers, modern infrastructure gives us a path to addressing security and compliance programmatically and automatically. [1]
The APIs we now have available enable a whole new era of security automation. Using the APIs, you can access metadata about your infrastructure and continuously monitor and measure whether the changes that take place are introducing new risks into your environment. [1] The introduction of new technologies specifically designed to help streamline and automate the process of security assessment and remediation for the cloud have advanced how organizations manage their security posture and compliance processes. [1]
Empowering DevOps with Compliance Automation
For DevOps teams, using automation to manage security means they can also manage compliance throughout the entire development lifecycle, rather than building up a backlog of compliance debt that requires remediation before delivery. [1] The cloud has also allowed DevOps to codify both security and compliance, which helps to reduce risk by ensuring best practices are followed, and changes to infrastructure and the cloud environment adhere to their organization’s security policies. [1]
Automation of compliance also enables teams to streamline the process of documenting and certifying the accounts, services and workloads in the cloud when the auditors come knocking. [1] This automation can help you create an abstraction layer to protect your operations and development teams from disruption and distraction, which can also have a significant negative impact on your timelines and bottom line. [1] With the right cloud security tools in place, you can provide auditors read-only access to compliance reports as needed, eliminating the need for team members to be in the middle of those requests. [1]
Gaining Executive Support for Compliance Automation
So, while your senior management may question whether a cloud provider is FISMA-, HIPAA- or PCI-compliant, you need to raise one more issue: how will your organization demonstrate compliance running in one or more public clouds? [1] You need to have an assurance that you will get executive support to add new tools to your arsenal that will help your team manage, assess and report on security and compliance without stopping innovation and creating detrimental workloads for your development and operations teams. [1]
While I’m excited about the potential innovations the public cloud presents us all, I can’t help but wonder what next year’s audits will mean for the teams that have yet to address compliance automation for their cloud environments. [1] It’s never too early to prepare – visit our Marketplace to get started. [1]
Key Considerations for Cloud Compliance
Cloud compliance is the art and science of complying with regulatory standards of cloud usage in accordance with industry guidelines and local, national, and international laws. [2] Some common regulatory requirements include the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and Gramm-Leach-Bliley Act (GLBA). [2]
Once a company is in the cloud, it should be concerned with how the cloud provider will help the company remain in compliance with the laws, such as Europe’s General Data Protection Regulation (GDPR) or HIPAA in the U.S. [2] This discussion should start from the very beginning rather than after the cloud service is established. Businesses sometimes find themselves in the cloud long before they planned on it, and that complicates things. [2]
One of the core tenets of the cloud is that there should be a self-service interface so it is easy for the customer to set up, change, and exit from cloud services. What is not clear, however, is who at the customer’s business will do this. As it turns out, it could be anyone today. All that is needed is a corporate credit card, and a department can be off to the races putting data in the cloud. The term for this is not new; it is shadow IT. [2] This term is getting a lot of use these days because of the characteristics of the cloud.
Establishing Cloud Governance
Governance is the oversight provided to a business by senior executives and the board of directors. Cloud governance is an extension of that oversight into the cloud. [2] Governance is critical; without it, there are too many unanswered questions about business goals and objectives that make managing a cloud and its security very difficult.
Before a company ever gets into a cloud, it should consider what its goals and objectives are. The goals and objectives should be guided by applicable laws, regulations, and contracts. [2] Beyond the legal aspects, cloud governance directs employees down the correct path to assist the company in achieving its goals and objectives. Major mistakes can cause the cloud to complicate things, preventing users from getting their job done. Mistakes could even land a company in court. [2] The board of directors and the executive management must give the cloud care and attention.
Navigating the Compliance Landscape
The first topic in any compliance discussion is the law. Businesses and their lawyers need to address what laws must be followed. They must also be clear about the consequences of non-compliance. [2] Once the laws are identified, it is important to ask which security controls need to be in place to comply with applicable laws and regulations.
Regulations such as EU GDPR require a great deal of security regarding personal information. [2] EU GDPR also has very specific constraints on where data covered by the regulation can be processed and stored. This is a potential issue with the cloud because of how it works; however, controls can be put in place with most cloud providers to satisfy EU GDPR requirements.
Contracts define a formal agreement between two or more parties. When a company enters into a contract, it’s obligated to live up to the terms. [2] Failure to do so could result in severe financial penalties. An organization that processes or stores credit card information likely has an agreement with credit card companies that require it to implement specific elements of the Payment Card Industry-Data Security Standard (PCI-DSS). [2]
To process credit cards, a business signs an agreement with the promise to fulfill the 12 security requirements of the standard. The level to which the requirements must be implemented depends on the number of transactions processed in a year. [2] A business should also check whether any contracts with the customers outline what the company can or can’t do with the cloud. Is there any impact on compliance if it uses a cloud of any flavor – public, private, community, etc.?
Many businesses use standards such as ISO 27001 or NIST SP 800-53 as a foundation for implementing security controls. [2] If a business decides to use ISO 27001 as its standard, the company needs to train employees so the proper controls are in place. These do extend to the cloud. In fact, ISO has isolated the controls that are specific to the cloud and addressed them in ISO 27017.
One way to assess the level of compliance with laws, regulations, and contracts is to have an audit. [2] Audits can be internal or external. An internal audit, completed by the business’ own auditors, provides a self-assessment to determine its level of compliance. The results of an internal audit can be viewed as skewed since the auditors could be biased in their conclusions. To provide a more objective opinion, a business may choose to be audited by an independent third-party audit firm. The audits we discuss here regarding the cloud are those done by the cloud provider.
Decoding Audit Reports
The result of an audit is found within the audit report. The reports are standardized by the American Institute of Certified Public Accountants (AICPA). [2] All businesses should ask for the SOC 2® audit report. A SOC 2® report is for service organizations, such as cloud providers. It shows their compliance with controls defined in ISO 27001 or NIST Cybersecurity Framework (CSF), for example.
The controls are assessed against AICPA’s five trust services criteria, which are: [2]
| Criteria | Description |
|---|---|
| Security | The system is protected against unauthorized access, both physical and logical. |
| Availability | The system is available for operation and use as committed or agreed. |
| Processing Integrity | System processing is complete, accurate, timely, and authorized. |
| Confidentiality | Information designated as confidential is protected as committed or agreed. |
| Privacy | Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA. |
These reports could be either a type 1 or a type 2. [2] A type 1 report shows the status of the controls at a moment in time and that the controls are designed and installed at some level of suitability. A type 2 report shows the controls’ operational effectiveness over a period of time, for example, six months.
A cloud customer should ask for these reports, but it is possible that the cloud provider may not be inclined to provide them because they may contain sensitive information about their business. [2] Another option is an SOC 3®, intended as a general use report. It contains very little information regarding the cloud provider’s business. It effectively gives or does not give the customer the auditor’s seal of approval for the cloud provider.
Shared Responsibility for Cloud Compliance
When you host workloads in the cloud, you offload some of the responsibility for security to your cloud provider. [3] However, it’s important to understand where the cloud vendor’s responsibility ends and yours begins. That’s why each of the leading cloud service providers publishes a set of guidelines, known as the shared responsibility model, which clarifies each party’s responsibilities.
For example, the vendor’s responsibilities include the security of its physical data centers, hardware and hypervisors, while those of customers include their guest operating systems, their own software and configuration of their networks. [3] In much the same way you share responsibility for security, you also share responsibility for compliance. And the dividing line is also the same. In other words, the cloud vendor is responsible for compliance of the infrastructure and services it provides and you’re responsible for the compliance of your deployments on the vendor’s platform.
Driving Cloud Compliance with Best Practices
There are a host of different best practices you can follow to help meet regulatory requirements, but the following are particularly beneficial to achieving compliance in the cloud: [3]
-
Establish Cloud Governance: Develop a clear understanding of your organization’s cloud usage goals and objectives, and align them with applicable laws, regulations, and contracts.
-
Automate Compliance Processes: Leverage cloud-native tools and technologies to streamline the processes of monitoring, measuring, and reporting on compliance.
-
Maintain Continuous Visibility: Continuously track changes to your cloud environment and assess the impact on your compliance posture.
-
Embrace a Shared Responsibility Model: Clearly delineate responsibilities between your organization and the cloud provider to ensure comprehensive coverage.
-
Go Beyond Compliance: Focus not only on meeting baseline requirements but also on addressing the unique security needs of your cloud environment.
A switch to the cloud also necessitates a switch in approach to both security and compliance. [3] But it’s important to remember that the two disciplines are not one and the same. Compliance is often far wider in scope, covering matters such as the rights of individuals and the way you handle their personal information. This has implications when you process and store their data in the cloud.
At the same time, compliance is simply a box-ticking exercise to ensure you meet the baseline requirements of regulations and standards. And this doesn’t guarantee you’re sufficiently protected against the security risks your organization faces. [3] That’s why security should go beyond compliance, by focusing not only on what assessment programs require but also on what your organization actually needs. Because, if you don’t, you can still be potentially vulnerable to attack. The consequences of which can be huge – from operational disruption and substantial financial losses to lasting damage to your business reputation.
Conclusion
As you embark on your cloud journey, remember that the road to compliance is paved with both challenges and opportunities. [1] [2] [3] By embracing a proactive, automated, and collaborative approach to cloud compliance, you can not only navigate the complexities but also unlock the full potential of the cloud. [1] [2] [3] So, let’s get started – the clock is ticking, and those auditors won’t wait. [1]
[1] Palo Alto Networks. “Tackling Cloud Compliance”. https://www.paloaltonetworks.com/blog/2019/05/cloud-tackling-cloud-compliance/
[2] Trend Micro. “Cloud Compliance: Laws, Regulations, and Best Practices”. https://www.trendmicro.com/en_us/what-is/cloud-security/cloud-compliance.html
[3] CrowdStrike. “Cloud Compliance: What It Is and How to Achieve It”. https://www.crowdstrike.com/cybersecurity-101/cloud-security/cloud-compliance/
