What Is Cloud Security Compliance?
As cloud adoption grows, cloud platforms, services, and cloud-hosted workloads are expected to comply with a growing number of international, state-level, and local regulations, as well as industry standards. Failure to comply with these rules may result in legal problems, penalties, fines and other adverse consequences for cloud users.
As the threat landscape becomes more sophisticated, cloud compliance and security are growing in importance. Cloud security compliance management is a set of practices and technologies that can ensure organizations comply with regulatory requirements, standards, and internal policies in the cloud, and maintain auditability of their cloud environments.
In this article:
- The Shared Responsibility of Cloud Security and Compliance
- 5 Cloud Compliance and Security Frameworks
- 4 Cloud Security Compliance Best Practices
The Shared Responsibility of Cloud Security and Compliance
Cloud service providers are vested in securing their cloud environment for customers, but they cannot control how organizations use their services. Cloud customers often assume that the CSP is solely responsible for security—thus, they fail to implement strong policies and access controls.
Organizations must understand their part in securing cloud environments, especially if they store or process sensitive data in the cloud. Cloud security vulnerabilities are often the result of poor practices and configurations. The level of responsibility for cloud security depends on the type of cloud service—public, private, and hybrid cloud deployments have different security needs.
The customer is sometimes responsible for securing operating systems, applications, and network traffic. Regardless of the cloud computing category, customers must always ensure the security of their access and data. Knowing what data resides in the cloud, who can access it, and what internal protections are in effect is crucial. Organizations must also understand the CSP’s obligations and the limits of their security responsibilities.
Likewise, the cloud provider is not solely responsible for ensuring data compliance. CSPs try to ensure their platforms and services are compliant, but customers must ensure the compliance of their stored applications, data, and third-party services.
Complying with security regulations generally requires continuous monitoring, regular testing, and periodic auditing of cloud operations. Businesses must understand their role in maintaining regulatory compliance in the cloud, including how industry standards and government regulations impact their cloud processes and data.
Related content: Read our guide to IaaS security (coming soon)
5 Cloud Compliance and Security Frameworks
Organizations with sensitive data in the cloud should adhere to the relevant cloud security and compliance regulations and standards.
Cloud Security Alliance Controls Matrix
These security controls from the Cloud Security Alliance help security providers boost their security environments and simplify audits. The Controls Matrix also helps customers evaluate CSPs’ security posture. The Alliance’s STAR certification program verifies providers’ cloud security levels with exceptionally high standards. STAR also documents the top cloud providers’ privacy and security control offerings.
Any organization working with the US federal government must meet these cloud data protection regulations. Achieving FedRAMP compliance is often a long, arduous process. Organizations must submit a system security plan detailing their controls for evaluation and approval.
National Institute of Standards and Technology (NIST)
NIST standards are primarily for governmental agencies, but many private industries apply them too:
- NIST SP 500-291 (2011)—compiles available cloud computing standards and identifies gaps.
- NIST SP 500-293 (2014)—provides a detailed cloud infrastructure security framework for government use.
- NIST SP 800-53 Rev. 5 (2020)—a commonly used information system security standard, also relevant to cloud environments.
- NIST SP-800-210 (2020)—details cloud security and access controls, providing guidance to help secure Paas and IaaS services.
International Organization for Standardization (ISO)
ISO standards address security for various technologies and systems, including several cloud security standards:
- ISO/IEC 27001:2013—a framework for building IT security management systems for cloud and other applications. It also offers guidance for auditing cloud security.
- ISO/IEC 27002: 2013—details best practices to help implement the security controls in the ISO 27001 standard.
- ISO/IEC Technical Report 22678:2019—provides cloud policy guidelines.
Well-Architected Cloud Frameworks
Well-architected frameworks offer best practice guidance for building cloud environments. Examples include:
- AWS Well-Architected Framework—helps AWS architects design applications and workloads for Amazon’s cloud infrastructure. It provides a checklist for evaluating cloud architectures based on the key principles of reliability, security, performance, cost optimization, and operational excellence.
- Google Cloud Architected Framework—helps cloud architects construct and enhance Google Cloud offerings.
- Azure Architecture Framework—guides cloud architects working with Microsoft Azure. It helps maximize workloads, protect data, and ensure recovery during failures.
4 Cloud Security Compliance Best Practices
Assess the Risk of Information Stored in the Cloud
Before deciding to use a cloud service and migrate data or workloads to the cloud, an organization must decide what information it can safely migrate.
If your assessment uncovers unacceptable risks, consider a hybrid cloud approach. This allows you to continue running sensitive or risky processes in a private cloud or on-premises physical servers. Data and workloads that do not introduce unacceptable risk can be moved to the cloud, integrating with on-premises resources across secure channels.
Develop Policies for Sharing Information to the Cloud
Once you have identified data or workloads that can be mitigated to the cloud, you need to start managing the associated risks.
Establishing a policy lets you select the cloud provider, cloud service, deployment model, and application that suits your requirements. Perform careful due diligence of your cloud provider and service providers such as SaaS vendors, to understand the security practices and internal controls they will apply to your information.
Review Cloud Service Provider’s Security Policies and Procedures
The ISO/IEC 27017 and ISO/IEC 27018 standards cover information security practices for cloud services. Due diligence on security policy and procedure typically means reviewing cloud service providers for ISO/IEC 27017 certification, and if you intend to store personally identifiable information (PII) in the cloud, check compliance with ISO/IEC27018 as well.
In addition, you can use the following guidelines to evaluate cloud provider security:
- Guidelines shared by the Cloud Standards Customer Council (CSCC).
- Prefer cloud providers who conform to ISO/IEC 27001 and 27002 (even though these are not cloud-specific standards).
- Review policies and processes such as log retention policies, privileged access policies, and change management processes.
Backup and Encrypt Your Data
Cloud storage is a fast, portable way to manage organizational data. However, it also requires access controls and robust ways to back up the data. Most cloud providers offer replication and high availability for data, and these settings need to be configured at a level suitable for your data protection obligations.
Data encryption is one of the key protections against cybersecurity threats. However, relying solely on vendors in a cloud world can be risky. It doesn’t make sense to use a provider’s encryption if you believe the cloud provider could be compelled to grant access to your data by a foreign nation state or other considerations. Managing your own keys is typically the best approach.