Cloud Compliance is more complicated than you think
The dynamics of cloud infrastructure are changing rapidly, in response to the increasing number of security threats that data in the cloud is being subjected to. Most cloud service providers until recently were focused on data storage. With the increasing attacks on enterprise data, government and industrial regulations have become stringent and compliance has become mandatory than a value-add. Hence both organizations and Cloud Service Providers alike are shifting their focus from data storage to data security and compliance.
Managing cloud compliance is a continuous process that requires extensive planning for cloud-based risk treatments, notifications, reports and automated responses to maintain security and compliance, as well as modernizing infrastructure governance at scale to mitigate risks.
With constant updates in the governmental and industry-wide regulations governing the storage of data in the cloud, maintaining compliances is a treacherous task. Hence, we have segmented cloud compliance requirements into four key components that simplify the processes to adhere to compliance requirements in the cloud.
Awareness of Regulations and Guidelines
The biggest challenge in cloud compliance is to keep up to speed with ever changing compliance requirements at various levels – industry, region or country – for data use, storage and operations. Major compliance requirements include HIPAA, PCI DSS, GLBA and the upcoming GDPR (for EU).
Most CSPs now have dedicated teams working towards ensuring compliance for their clients. Businesses stand to benefit by leveraging the services provided by the CSP in terms of managing compliances, handling audits and generating reports. Hence, compliance now becomes a critical factor while choosing a CSP since they need to adhere to the same set of standards required for the business, maintain documentation and be accountable in case of audits.
Access Control Protocols
Organizations typically assume that having an authentication protocol in place helps alleviate their compliance concerns. For example, typically organizations that use single sign-on risk leaving their doors open to attackers, at the cost of convenience.
However, with stricter regulations being enforced, they need to increasingly adopt modern authentication systems such as multi-factor authentication and “Zero Trust Security model” to accommodate individuals’ personal preferences while avoiding potential security risks. Multi-factor authentication ensures that in addition to valid login credentials, users need to enter verification codes sent to their phone or email. This additional step ensures that only authorized users can access sensitive data.
Data Classification and Storage With cloud architectures, organizations often lose control of their data because it no longer resides exclusively within the company’s walls – it can be stored anywhere. Changes in locations add more complexity, owing to differences in data privacy legislation between various countries.
Businesses need to understand how their CSP addresses compliance requirements around data availability and data sovereignty. CSPs need to provide detailed documentation that help prove the exact location of the business’s data as well as data security measures, in case of an audit.
The next step is to classify what data remains on the internal networks and what can be moved to the cloud. Confidential and sensitive information should be relocated within the confines of the company’s network or a private cloud, for both compliance and security reasons.
Should a requirement arise for some data to be stored in the cloud after the classification, it is imperative for the company to encrypt the data for both protecting it from being compromised and adhering to compliance requirements. Companies may use encryption services provided by CSPs or opt for third party encryption options.
The key point to note is that companies are still responsible for protecting their data both in transit and storage. They need to understand how data is being stored, which encryption protocols work well with which data types and adopt appropriate security measures such as identity and access management, risk-authentication and security intelligence to mitigate data security risks.
With increasing number of attacks, compliance, audit and assurance are necessary to ensure safety and confidentiality of sensitive data. Whether the data is hosted on a private or public cloud, companies are always accountable for ensuring cloud compliance. Hence it cannot be treated as an afterthought.
Majority of cloud service providers have begun to understand the importance of compliance as signal for companies to choose service providers and hence they are continually looking at their processes to improve. It is important hence to choose a cloud service provider that closely aligns with your compliance requirements.
October 8, 2018
September 27, 2018