You are here

Armored convoy

How to maintain security compliance in the cloud

public://webform/writeforus/profile-pictures/drew_nielsen.jpg
Andrew Nielsen, Chief Trust Officer, Druva

Compliance is one of the main reasons why many organizations hesitate to fully engage in a cloud-first strategy. However, a clear understanding of how compliance can be achieved in the cloud enables companies to capitalize on the business agility and growth that the public cloud provides. With a complete understanding of how compliance can be attained in the public cloud, even the most heterogeneous organization can operate in an ever-changing regulatory environment.

 

[ Effective security operations requires staying ahead of threats. Get up to speed with this upcoming Webinar: Next Level SecOps with UEBA and MITRE ATT&CK ]

Cloud security and compliance challenges

It is virtually impossible to not talk about security when addressing compliance requirements, since the controls necessary to achieve compliance are often implemented under the auspices of security. That said, there are primary security challenges that affect the success of compliance on-premises or in the cloud that organizations should be aware of:

  • Operational consistency: When it comes to operations, inconsistency equates to inefficiency. Whether you are manufacturing, importing, retailing, or providing a service, the more you standardize basic operations, the better. As organizations move to the cloud, the effective operational security and compliance functions that existed on-premises must be applied to respective cloud services. From a compliance perspective, the more that organizations drive consistency of operations, the easier it is to respond to audit requests and enforce security.
  • Advanced threats: Data cyber threats represent a relentless source of sophisticated exploits and zero-day attacks aimed at getting your organization’s information. Threat actors use a mix of methods to compromise systems and infrastructure for political and financial gain, while other, less sophisticated attackers are looking to make a quick score and move on to the next victim. With an increasingly mobile workforce, it has become easier to attack organizations when their edge systems are attached to insecure networks outside their sphere of control. One of the most common attack vectors is ransomware, which has become a $1 billion-a-year industry, according to recent studies.
  • Information visibility: Historically, it was simple to know where data lived: in the data center. That’s no longer true. With the proliferation of mobile devices—now defined as edge computing—and the increasing use of cloud-based applications and services, critical corporate information is more dispersed than ever. With additional regulatory requirements involving global data residency, getting a single view of your data is more challenging than ever.

Compliance as shared responsibility in the cloud

Many organizations make the mistake of assuming that once data is sent to the cloud, all security responsibility shifts entirely to the cloud provider. This is simply not the case.

Responsibility for data security and compliance in the cloud is shared between multiple parties. It is true that the higher up the “cloud stack” an organization buys into, the more security compliance functionality is built in.

In the case of a SaaS application provider, for instance, that vendor will offer a variety of additional security and compliance features built on top of the security of the infrastructure and platform providers. However, in this shared-responsibility framework, it is still up to the customer to implement and use those security and compliance features to ensure that its existing on-premises security policies extend to the cloud.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Fourth-party risk

While compliance audits are great from a scrutiny perspective, they also allow organizations to measure fourth-party risk. Consumers of cloud services should also expect their primary providers to adhere to general and industry-specific compliance frameworks, audits, and attestations.

As customers evaluate cloud service providers, it is important to understand and distinguish the various demarcations as to who is responsible for securing which part of the cloud. An easy way to think about it is as follows:

  • Customers: Responsible for implementing security in the cloud application.
  • SaaS providers: Responsible for security in the cloud.
  • Cloud service providers: Responsible for the security of the cloud.

This model represents a shift in organizational mindset for customers who operate traditional, on-premises environments, where they are responsible for all security aspects. As organizations consider and evaluate various cloud service offerings, it is essential to understand the delineations of shared responsibility in the cloud.

 

[ See Guide: Best Practices for GDPR and CCPA Compliance ]