What Is Cloud Compliance?

When you store sensitive data on a third-party cloud server, it’s imperative that this third-party host is compliant with all data privacy and protection regulatory standards. Cloud hosts have specific compliance certifications and audits they must pass for cybersecurity assurance, but it’s the responsibility of the organisation to find the right provider based on the business industry cybersecurity requirements. Healthcare, financial and government agencies, for instance, must find cloud providers compliant with various industry standards. If a provider uses a non-compliant host, the business could be liable for high-cost penalties and fees after a data breach.

Multi-cloud infrastructure is not uncommon for large organisations. Organisations leverage effective, fast, affordable cloud storage, but it increases their attack surface. Much of the risk depends on the way cloud computing is integrated into the current environment. A public cloud might be open to users outside of the perimeter (e.g. customer applications or travelling employees), which makes it a target for bad actors. Hybrid cloud infrastructure combines a private cloud and a public cloud, so this setup also has its own security risks that must be mitigated.

A cloud provider will list compliance assurances in its service-level agreement (SLA), but it’s up to the business to audit providers and ensure the data transferred to third-party solutions is safe. The requirements you must follow depend on the infrastructure you plan to leverage. If you only plan to work with cloud storage, then the provider must have security in place to protect from data disclosure. However, working with Infrastructure as a Service (IaaS) ingrains cloud resources into everyday procedures, so there must be the right access management, monitoring and intrusion detection.

Most regulatory standards have penalties for organisations found negligent after a security breach. For instance, HIPAA violations cost organisations anywhere from $100 to $50,000 per violation (per record), depending on an auditor’s analysis during forensics investigations. PCI-DSS, which oversees merchant transactions (e.g. credit card payments online), fines corporations anywhere from $5000 to $100,000 per month until the merchant remedies all violations.

The main challenge for many organisations is that there is no expert on staff who can guide them towards proper cloud compliance. The first step is to understand which cloud compliance standard covers the data that you store or will be transferring to a cloud host. There are several to consider, but here are a few of the most common:

• Sarbanes-Oxley (SOX): Focuses on the methods organisations use to store and log business transactions and financial records.
• CAN-SPAM Act: For any organisation that wants to send marketing emails, this act will determine the way opt-in and opt-out options function and who can receive unsolicited emails.
• Health Insurance Portability and Accountability Act (HIPAA): Focuses on sensitive medical and healthcare data and the way it’s stored, accessed, and monitored.
• Payment Card Industry Data Security Standard (PCI-DSS): Oversees merchants and sites that deal with credit card and banking payments.
• Federal Information Security Management Act (FISMA): Requires financial and government entities to develop, document and deploy information security to protect sensitive customer data.

After identifying data and the compliance standards relevant to your business, the next step is to determine the way data will be stored, transferred, displayed and archived. One key aspect of every compliance standard is monitoring is required for any system. An audit trail is also essential to determine who and when data was accessed. For instance, every time a user accesses a financial or healthcare record, the user’s account name, the data accessed, the IP address of the device used, and the time at which it was accessed should be logged as an audit trail.

The right cloud computing provider has every information security feature necessary for cloud compliance. Most cloud providers have a shared responsibility, which means that the provider promises to keep infrastructure secure and offers the right security tools but it’s the responsibility of the customer to configure and secure their data.

Cloud providers have their own compliance standards that they must follow, but organisations must search for a provider that offers the right tools. These tools allow you to implement the right information security, storage standards, monitoring features and logging structure that follows compliance standards.

Identity and Access Management

Access to data should follow the principle of least privilege, but you still need a way to manage user access. User access should be granted and revoked as needed including physical access to data. Physical and virtual access are equally important. A cloud provider will have physical security controls, but it’s the responsibility of the organisation to properly manage permissions and data access using cloud controls. These controls should log every time a user authenticates into the system, accesses data, and fails to authenticate.

Monitoring and Notifications

Every compliant cloud provider has provisions in place for monitoring network traffic. Sensitive data accessed too many times or with several failed access requests should raise an alert sent to an administrator who can review and analyse the issue. In large enterprise environments, several components might interact. These components would also need to be monitored as a potential attack vector during a data breach.

Intrusion Detection and Prevention

In advanced persistent threats, attackers maintain access to infrastructure for months. It takes only a few minutes for an attacker to exfiltrate data, so having months to compromise various systems can be devastating to the organisation. Intrusion detection and prevention stops breaches before they occur.

It isn’t enough to just have these systems in place. You can have every necessary information security component available and configured, but how do you know they are effective against a real-world attack? The organisation should penetration test using automated and manual testing to ensure that security features are properly configured and implemented. Software should be penetration tested to avoid compromise from internal applications vulnerabilities.

A good cloud provider has multiple data centres across the globe for reliability and integrity. The physical location of these data centres and where your data is stored is another factor in compliance, but data centres should also be located close to the organisation’s main client base and where employees work. Geolocation closest to most users will improve speed for those users.

Having multiple data centres also offers better reliability, and many cloud providers offer 100% uptime due to the multiple failover controls across data centres. Even with reliability and stability offered by cloud providers, data corruption and security flaws could require disaster recovery. A disaster recovery plan lays out every step during a disaster so that recovery can be performed smoothly and as quickly as possible with little data lost. Disaster recovery plans are required in some cloud compliance standards.

Finally, encryption should be one of the main security factors in data transfers and storage. Depending on the data stored, storage devices must be encrypted. Data transfer across the network should always be encrypted to avoid man-in-the-middle (MitM) attacks and compromise. Passwords, secrets, access tokens, API keys, and any private data providing access to the system should also be encrypted. Avoid storing this data in unencrypted files in application directories and codebase repositories.

A provider’s Service Level Agreement (SLA) will detail all coverage and assurance offered to customers, but when you need specific protections it’s best to contact a provider and ask if they offer specific security features. Remember that providers have a shared responsibility with your organisation, so providers give you the tools and reliability, but proper configuration is the responsibility of the organisation’s IT staff.

After you’ve deployed all resources, always penetration test security components using manual and automated tools. This will ensure that your data is protected from common and complex exploits. With monitoring, an attacker with unauthorised access should be detected and a notification sent to administrators.