As cloud adoption grows, cloud platforms, services, and cloud-hosted workloads are expected to comply with a growing number of international, state-level, and local regulations, as well as industry standards. Failure to comply with these rules may result in legal problems, penalties, fines and other adverse consequences for cloud users.
As the threat landscape becomes more sophisticated, cloud compliance and security are growing in importance. Cloud security compliance management is a set of practices and technologies that can ensure organizations comply with regulatory requirements, standards, and internal policies in the cloud, and maintain auditability of their cloud environments.
In this article:
Cloud service providers are vested in securing their cloud environment for customers, but they cannot control how organizations use their services. Cloud customers often assume that the CSP is solely responsible for security—thus, they fail to implement strong policies and access controls.
Organizations must understand their part in securing cloud environments, especially if they store or process sensitive data in the cloud. Cloud security vulnerabilities are often the result of poor practices and configurations. The level of responsibility for cloud security depends on the type of cloud service—public, private, and hybrid cloud deployments have different security needs.
The customer is sometimes responsible for securing operating systems, applications, and network traffic. Regardless of the cloud computing category, customers must always ensure the security of their access and data. Knowing what data resides in the cloud, who can access it, and what internal protections are in effect is crucial. Organizations must also understand the CSP’s obligations and the limits of their security responsibilities.
Likewise, the cloud provider is not solely responsible for ensuring data compliance. CSPs try to ensure their platforms and services are compliant, but customers must ensure the compliance of their stored applications, data, and third-party services.
Complying with security regulations generally requires continuous monitoring, regular testing, and periodic auditing of cloud operations. Businesses must understand their role in maintaining regulatory compliance in the cloud, including how industry standards and government regulations impact their cloud processes and data.
Related content: Read our guide to IaaS security (coming soon)
Organizations with sensitive data in the cloud should adhere to the relevant cloud security and compliance regulations and standards.
These security controls from the Cloud Security Alliance help security providers boost their security environments and simplify audits. The Controls Matrix also helps customers evaluate CSPs’ security posture. The Alliance’s STAR certification program verifies providers’ cloud security levels with exceptionally high standards. STAR also documents the top cloud providers’ privacy and security control offerings.
Any organization working with the US federal government must meet these cloud data protection regulations. Achieving FedRAMP compliance is often a long, arduous process. Organizations must submit a system security plan detailing their controls for evaluation and approval.
NIST standards are primarily for governmental agencies, but many private industries apply them too:
ISO standards address security for various technologies and systems, including several cloud security standards:
Well-architected frameworks offer best practice guidance for building cloud environments. Examples include:
Before deciding to use a cloud service and migrate data or workloads to the cloud, an organization must decide what information it can safely migrate.
If your assessment uncovers unacceptable risks, consider a hybrid cloud approach. This allows you to continue running sensitive or risky processes in a private cloud or on-premises physical servers. Data and workloads that do not introduce unacceptable risk can be moved to the cloud, integrating with on-premises resources across secure channels.
Once you have identified data or workloads that can be mitigated to the cloud, you need to start managing the associated risks.
Establishing a policy lets you select the cloud provider, cloud service, deployment model, and application that suits your requirements. Perform careful due diligence of your cloud provider and service providers such as SaaS vendors, to understand the security practices and internal controls they will apply to your information.
The ISO/IEC 27017 and ISO/IEC 27018 standards cover information security practices for cloud services. Due diligence on security policy and procedure typically means reviewing cloud service providers for ISO/IEC 27017 certification, and if you intend to store personally identifiable information (PII) in the cloud, check compliance with ISO/IEC27018 as well.
In addition, you can use the following guidelines to evaluate cloud provider security:
Cloud storage is a fast, portable way to manage organizational data. However, it also requires access controls and robust ways to back up the data. Most cloud providers offer replication and high availability for data, and these settings need to be configured at a level suitable for your data protection obligations.
Data encryption is one of the key protections against cybersecurity threats. However, relying solely on vendors in a cloud world can be risky. It doesn't make sense to use a provider's encryption if you believe the cloud provider could be compelled to grant access to your data by a foreign nation state or other considerations. Managing your own keys is typically the best approach.
for up to 20 instances