With cloud services providing scalability and flexibility in the workplace, more organizations are turning to cloud based solutions making cloud security compliance more important.  However, the steps to cloud security compliance can feel amorphous in the constantly evolving information security environment. Protecting your business information assets means taking steps to review not only the cloud services provider but also the way in which your organization plans to engage with the provider’s service.

11 Steps to Cloud Security Compliance

1. Assess the Risk of the Information Shared to the Cloud

Assessing risk lies at the heart of cloud security compliance. Before deciding to use a cloud service, your organization should determine the types of information that it intends to store remotely.

Outsourcing the location of information assets means that you need to ask a series of targeted questions to analyze the consequences of a breach. Microsoft’s Technet Magazine offers the following questions to think about when assessing the risks inherent in cloud management.

You can ask a series of targeted questions around information assets along the lines of what would the consequence be if:

  • The information asset was exposed?
  • The information asset was modified by an external entity?
  • The information asset was manipulated?
  • The information asset became unavailable?

If these questions raise concerns about unacceptable risk, you might want to approach the overall problem by limiting risk-sensitive processing to a private cloud (avoiding the introduction of new risk). Use the public cloud for non-risk-sensitive data. Adopting a private cloud doesn’t obviate the need for appropriate controls.

With that in mind, you might want to consider the outcomes of:

  • By mixing outsourcing in a public cloud for non-sensitive data and reserving internal systems for sensitive data, you might gain some cost advantages without assuming new risk.
  • Where use of a private cloud would pose no new risks to your information assets, use of a hybrid or public cloud model might.
  • Switching from a traditional IT model for internal processing to a private cloud model might reduce risk.

When looking to use a cloud storage provider, you need to first determine the different types of information assets you control. Once you’ve established the information assets in your current control, you can begin to focus on the assets over which having less control would be acceptable.

2. Develop Policies Surrounding Information to be Shared to the Cloud

Creating a cloud security policy should be the second step in your cloud security compliance program. Once you have established the risks you are willing to assume, you need to make sure to place controls around these risks.

These documents do not need to be long. In fact, a thoughtful policy can be short, making it easier for staff to understand and follow the steps within the policy. Scott Hazdra writes for Network World offers an example of how to organize a policy, by suggesting five main headings: Goal\Mission Statement, Data Classification, Scope, Responsibilities, Policy. Within those headings, however, he notes that each section needs to respond to a series of questions to help control the data flow between your organization and the cloud service provider.

For example, in looking at the scope of your cloud policy, Hazdra notes,

Here you can detail acceptable cloud providers, applications, data or services that can be moved into the cloud, to whom this policy applies and what legal and contractual agreements will govern the policy. If you have an existing Acceptable Use Policy or Information Technology Policy you can communicate that those rules still apply.

Once you have a policy in place, you can more easily determine what kind of cloud application can provide the best product to fit your needs. In order to choose a cloud provider, the organization needs to understand how it wants to maintain its assets. Before hiring a cloud service provider, the organization needs to understand the internal controls it wants on the information.

3. Encrypt Data

Data encryption acts as one of the main protections against cybersecurity threats. When it comes to cloud security compliance, relying solely on your provider can prove risky. Using only the provider’s encryption may mean little if the cloud provider can be bullied into granting access or compelled to relinquish encryption keys by a foreign nation state.

Although many organizations may look to the “Bring Your Own Key” security method to protect the information, this can pose additional risks when loss or error prevents a business from decrypting its information, similarly to traditional problems with username and password safety. Matt Landrock of Crytomathic writes in Digital Forensics Magazine that what he calls  ‘Manage Your Own Keys’ (MYOK™) can provide some answers in the encryption area.

Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models – public, private and hybrid amalgamations of the two. MYOK™ systems enable users to address them all with cryptography, creating and managing keys regardless of their required shape, form and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.

Ensuring that your provider encrypts data may not be the best solution. This means that an organization needs to determine the best method possible for protecting sensitive data when using cloud providers.

4. Back Up Data

Cloud storage acts as a portable and speedy way to manage information. However, part of any good cloud security compliance should be controls around backing up data. Cloud storage provides accessibility and scalability only when the applications are running. In the event of an outage on the cloud application’s side, organizations investing in cloud storage need to have business continuity plans, disaster recovery plans, and backed up data.

5. Set User Authentication Protocols

Authentication protocols may be one of the most important steps in cloud security compliance. Determining the appropriate authentication protocol revolves around the organization’s informational needs. Mutual authentication protocols require that you and your cloud service provider prove your identities to one another. In the April 2016 International Journal of Computer Trends and Technology, the article “Mutual Authentication in Cloud Computing – A Review” lists a series of existing authentication protocols.

Secret sharing means that both sides of the partnership have information to complete the authentication. This can help protect against man in the middle attacks, replay attacks, and denial of service attacks.

Smart cards and passwords require that the user have a card as well as a password to access the server and is better for resisting offline guessing attacks.

Elliptic curve cryptography consists of the initialization phase, user registration phase, and mutual authentication with key agreement phase. It can help protect against impersonation attacks, insider attacks, outside attacks, and attacks on mutual authentication.

Steganography has been used in cloud-based information communication systems. This authentication protocol embeds encrypted information into an image or other data piece to hide it from third parties, keeping malicious users from attacking the secret.

Setting the organization’s user authentication protocols is part of the decision to hire a cloud service provider. In addition, understanding the protocols the cloud service provider uses should be one of the reviews undertaken during the search process.

6. Review Provider’s Capabilities within the Context of these Policies

Reviewing provider capabilities means understanding the different types of cloud services offered. Cloud services offer a wide range of capabilities and understanding your needs will help choose the correct type. Cloud services are subscription based so understanding how you plan to use them and who should have access can impact the costs to your organization.

Software as a Service (SaaS) providers often use web browsers as their point of access. These are the most prevalent types of cloud services. Most people use these types of services either through Google Drive, Dropbox, or other cloud based applications.

Platform as a Service (PaaS) providers offer either a public cloud service or a private service inside a firewall. They create an environment for customers to develop, run, and manage applications without the hassle of having to manage the servers and databases.  

Infrastructure as a service (IaaS) means highly automated and scalable computing resources. IaaS services may be the most flexible model since they offer cloud server and resources through a dashboard or API. These can be thought of as “virtual data centers.” In addition, unlike the other models. IaaS clients control their infrastructure.

Based on your risk assessment and cloud security policy, you can review your cloud services needs to ensure purchasing the appropriate product.

7. Review Cloud Service Provider’s Security Policies and Procedures

ISO/IEC 27017 and ISO/IEC 27018 cover the information security code of practice for cloud services. The Cloud Standards Customer Council shares tips for customers trying to engage in cloud security compliance. They note that cloud service customers should specifically look for providers conforming to ISO/IEC 27001 and 27002 standards. Despite these not being specific to cloud computing, the principles are applicable.

Due diligence in reviewing security policies and procedures also means reviewing your cloud service provider for being ISO/IEC 27017 certified as this is not required but becoming pervasive in the industry. In the same manner, if personally identifiable information is involved, cloud service customers should look for ISO/IEC 27018 certification.

Finally, when reviewing a cloud service provider for compliance, an organization should look at the policies and process that impact security such as log retention policy, privileged access policy, and change management process, among others.

8. Review Legal Implications of Breach by Cloud Provider

The privacy and data security laws involved in cloud security compliance reviews include compelled disclosure to government entities and security issues and breach notification requirements. Despite Federal Risk and Authorization Management Program (FedRAMP) legal guidelines that apply to US Federal Agencies offering useful guidance, no official standards exist regarding cloud services.

This means that reviewing the contract you make with the service provider is important to understanding the breakdown of legal responsibilities. Some cloud service providers do not offer any transparency into their security programs making it impossible to know if they’re complying with the federal statutes and regulations.

Most of the state data breach responsibility laws focus on the data owner being responsible for notification. This role will be defined in the contract with the cloud service provider. Therefore, understanding the terms of the contract and the liability section of the contract is important when choosing the cloud service provider.

9. Confirm Ownership of Information Stored

Ownership of data falls within the purview of the cloud service contract. The ownership of data in the cloud becomes confusing when different stakeholders have access to it. Blueberry Consultants offers the following suggestions to ensure retention of data ownership.

  1. Read every term and condition from the provider to ensure they follow the examples set above.
  2. If you’re a business and are considering storing highly confidential information on the cloud, it is advisable to take legal advice before choosing a partner to ensure the legal framework surrounding the data storage is clear.
  3. Never stop backing up locally. Your stuff may be on the cloud, but if the provider goes under, you could lose everything if you don’t have a local copy.
  4. Ensure that your chosen cloud partner fully encrypts your data and uses end-to-end encryption when transmitting it.
  5. Check the location of where your data will be stored. If in a foreign country, ensure their data regulations match up with your own.

While contract language is often standardized throughout an industry, reviewing the document in detail to protect your organization and its data can be the difference in being secure or not.

10. Review Security of Mobile Versions of the Application

Information and access portability drive the use of cloud services. You want your employees to be productive no matter their location. This means that part of the cloud security compliance process needs to include a review of the mobile application’s security.

Although no current security standard exists for mobile applications, the Open Web Application Security Project (OWASP) is currently working on a security standard and comprehensive testing guide. Although noted that it plans to have a “feature complete” document in third quarter 2017, the current Mobile Security Testing Guide currently includes the following content:

  1. Mobile platform internals
  2. Security testing in the mobile app development lifecycle
  3. Basic static and dynamic security testing
  4. Mobile app reverse engineering and tampering
  5. Assessing software protections
  6. Detailed test cases that map to the requirements in the MASVS.

In addition, OWASP offers a downloadable mobile app security checklist to help navigate the review process. Using these resources can help determine the security impact of your cloud service provider’s mobile application.

11. Review Policies Surrounding Deletion of Information Stored

No one wants to keep information into perpetuity. This means that cloud security compliance needs to review the policies and processes surrounding deleting stored data. Deleting information from the cloud is related to the record retention policies your provider has in place. In the same way that data encryption matters to the safety of your information, it can also present a headache when you want the information deleted.

If the data cannot be traced due to encryption, it might be difficult to trace its deletion. However, some cloud service providers have installed encryption keys that once deleted render the information unreadable. This can provide a second control over the deletion of information. First, the information is deleted. Second, the deletion of the encryption key associated with the information means that even if the information was not deleted, the encryption makes it unreadable even to the original owner.

While cloud security compliance may seem to be a constantly moving target, reviewing your organization’s needs and service provider abilities can make this easier.

To learn how a cloud services compliance provider can help build a scalable compliance program, read our eBook “Quick Guide to Zen GRC.”