What Is Cloud Compliance?
The compliance landscape is rapidly changing.
New data protection regulations have been coming into force worldwide to address privacy issues brought about by the exponential growth in data organizations collect about individuals.
At the same time, information technology has been rapidly evolving as organizations migrate their systems from on-premises data centers to cloud-based infrastructure.
As a result, many are now uncertain as to what their compliance obligations are and what cloud compliance actually means. Yet, in most cases, the requirements are the same whether you host your data on-premises or in the public cloud.
But here’s what you need to know: Cloud compliance is the act of complying with regulatory standards of cloud usage in accordance with local, national, and international laws. The key difference between traditional and cloud compliance is largely how you go about meeting such requirements.
So, in this post, we seek to explain these differences by discussing the challenges of cloud compliance and outlining mechanisms for ensuring best practice. But first let’s lay the groundwork by running through some of the most common regulations and standards.
Common Cloud Regulations and Standards
General Data Protection Regulation (GDPR)
The GDPR is European legislation that was designed to unify and strengthen the data protection laws of member states across the EU. It incorporates a far-reaching set of requirements to protect the privacy rights of European Economic Area (EEA) citizens.
- Data residency, whereby you may only process and store their personal data within the EEA and a limited number of other permitted countries unless they consent otherwise.
- Data minimization, which means you should collect and store only the personal data your organization actually needs.
- Storage limitation, whereby you must not retain this data for any longer than strictly necessary.
- Right of access, under which you must meet requests from individuals to access the personal data you hold about them.
- Right of erasure, under which you must meet requests from individuals to have their personal data erased.
The GDPR also includes requirements for data security. However, much like those of similar data protection regulations around the world, these are very loosely defined.
Although the legislation covers only European citizens, it is still global in scope. This is because it applies to any organization that stores or processes personal data about EEA residents — regardless of where in the world the organization is located.
Penalties for non-compliance are potentially huge, with fines of up to €20 million or 4% of annual global turnover — whichever the greater.
Since its departure from the EU, the UK has adopted its own version of the GDPR. This is practically identical to its EU counterpart.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is one of the few examples of governmental regulation that specifically covers data processed and stored in the cloud.
It is a streamlined version of Federal Information Security Modernization Act (FISMA), the US law that covers the processing and storage of data by federal agencies and their contractors, but specifically adapted to cloud-based deployments.
FedRAMP forms part of a cascade of different frameworks that determine what set of controls an organization must implement to maintain the security and resiliency of their IT systems. These are set out in NIST SP 800-53, which is a library of requirements that are categorized according to the risk to data.
Although FedRAMP/NIST is voluntary for private sector companies, given the patchwork nature of the federal regulatory system across the US, adoption helps companies follow a more standard approach to privacy.
ISO 27000 is a family of international standards that provide best practice recommendations on how to protect information systems from a range of threats.
- ISO 27001: The core standard within the series, providing a general set of controls for managing information security.
- ISO 27017: An additional set of security controls for cloud computing implementations.
- ISO 27018: A set of privacy controls for managing personal data in cloud-based environments.
ISO compliance is voluntary, but certification offers a number of benefits. For example, it signals trust to customers and suppliers, reduces the risk to your information assets and facilitates compliance with compulsory data protection regulations.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS, which is administered by a body of leading payment industry stakeholders, is a security-oriented standard that applies to any organization that accepts or processes card payments.
It specifies 12 requirements you must meet to protect payment card transactions and cardholder details. Although still broad in nature, these are slightly more specific than those outlined in data protection regulations such as the GDPR. For example, you are required to install and maintain a firewall.
However, implementation of this requirement is different in the cloud. This is because traditional perimeter-based firewalls aren’t designed for the dynamic, distributed and highly scalable nature of the cloud. To address the problem, you’ll need a cloud firewall, which is a software-based solution specifically designed for protecting cloud infrastructure.
Challenges of Cloud Compliance
A new and different type of computing environment presents different compliance challenges. The following are just a few of many such examples.
Certifications and Attestations
To satisfy the requirements of applicable standards and regulations, both you and your public cloud vendor will need to demonstrate compliance.
So, in addition to your own set of responsibilities, you’ll need to make sure your cloud platform also has the appropriate certifications or attestations.
Moreover, you’ll need to monitor validation, as data protection laws change, new regulations come into force, and cloud providers can lose their compliance status at any time.
As most data protection laws only allow you to host personal data within permitted territories, you’ll need to make careful choices about which cloud regions you intend to use.
This may be particularly challenging if your organization is subject to a significant number of different regulations. In such cases, you may need to adopt a multi-cloud strategy to ensure you have the right mix of regions to cover all regulated data.
You cannot protect what you don’t know you have. However, the cloud is a much more complex environment with lots of moving parts. This presents challenges to visibility and control over the data you need to protect.
Furthermore, this complexity makes it more difficult to assess the risk to your data so you can formulate an informed strategy to suitably protect it.
Different Approach to Security
Most compliance requirements for security are very general in nature and merely state you should take appropriate technical and organizational measures to protect personal data.
But traditional security tools are simply not up to the job, as they’re designed for static environments and difficult to adapt to the cloud. You’ll therefore need security solutions specifically designed for cloud-based infrastructure — where IP addresses frequently change and resources are routinely launching and closing down. This will mean a different approach to security with more focus on configuration management and individual workload protection.
Shared Responsibility Model
When you host workloads in the cloud, you offload some of the responsibility for security to your cloud provider. However, it’s important to understand where the cloud vendor’s responsibility ends and yours begins.
That’s why each of the leading cloud service providers publishes a set of guidelines, known as the shared responsibility model, which clarifies each party’s responsibilities.
For example, the vendor’s responsibilities include the security of its physical data centers, hardware and hypervisors, while those of customers include their guest operating systems, their own software and configuration of their networks.
In much the same way you share responsibility for security, you also share responsibility for compliance. And the dividing line is also the same. In other words, the cloud vendor is responsible for compliance of the infrastructure and services it provides and you’re responsible for the compliance of your deployments on the vendor’s platform.
Cloud Compliance Best Practices
There are a host of different best practices you can follow to help meet regulatory requirements, but the following are particularly beneficial to achieving compliance in the cloud:
- Encryption: You should start by protecting the very data that’s at risk by encrypting it both at rest and in transit. However, your data is only as secure as the keys you use to encrypt it. So you’ll also need to maintain good key management practice.
- Privacy by default: Privacy should be automatically baked into system design and processing activities. This will make the task of complying with any data protection regulation or standard significantly easier.
- Principle of least privilege: You should grant users access to only the data and resources they actually need to carry out their duties. This will significantly reduce the risk of compromise by both internal and external threat actors. It will also help demonstrate you take appropriate measures to meet compliance requirements.
- Zero Trust: You should enforce strict authentication, authorization and monitoring of all users, endpoints and applications that access your network on a never trust and always verify basis.
- Well-architected frameworks: You can leverage modular frameworks, published by leading cloud vendors such as AWS, Microsoft Azure and Google Cloud Platform, which take customers through a set of guiding principles on how to build resilient, secure and highly optimized workloads on their platforms.
Above and Beyond Compliance
A switch to the cloud also necessitates a switch in approach to both security and compliance. But it’s important to remember that the two disciplines are not one and the same.
Compliance is often far wider in scope, covering matters such as the rights of individuals and the way you handle their personal information. This has implications when you process and store their data in the cloud.
At the same time, compliance is simply a box-ticking exercise to ensure you meet the baseline requirements of regulations and standards. And this doesn’t guarantee you’re sufficiently protected against the security risks your organization faces.
That’s why security should go beyond compliance, by focusing not only on what assessment programs require but also on what your organization actually needs.
Because, if you don’t, you can still be potentially vulnerable to attack. The consequences of which can be huge — from operational disruption and substantial financial losses to lasting damage to your business reputation.