Organizations are increasingly turning to cloud-based IT solutions, which makes cloud security compliance standards more important than ever before. The steps to cloud security compliance, however, can be confusing in today’s constantly evolving cybersecurity environment. Entering into a relationship with a cloud provider can result in increased vulnerabilities, and it’s important to assure the protection of your customers’ data.
Protecting your business information assets means taking steps to review not only your cloud services provider but also how your organization plans to engage with the provider’s service. It’s critical that your company understands what regulatory compliance standards are required of you before entering into a contract with a cloud service provider.
What Are Cloud Security Standards?
There are a variety of compliance frameworks that can serve as a roadmap for security of the cloud environment, depending on a company’s industry, the size of the organization, and the country where its operations are based. These standards are designed to assure consistency and security for consumers.
ISO/IEC 27017 and ISO/IEC 27018 are standards created for the cloud environment. More specifically, they are frameworks designed for cloud computing providers for the protection of you, their client. The first focuses primarily on security controls, the second more on privacy concerns. Certification for these standards is not legally required, but it is something to look for when selecting a cloud service provider.
What is security and compliance in cloud computing?
There is a daunting number of compliance frameworks that might apply to your company. Some are industry-based, like the requirements for healthcare organizations set in place by HIPAA or those in FISMA for government contractors. Others like GDPR might apply if you have customers in the European Union, or depend upon the volume of your credit card sales as with PCI DSS.
It’s important to remember that any regulatory requirements that apply to your organization will also flow through to your cloud service provider. Moreover, just because a cloud provider is compliant with the standards discussed above does not mean that the provider is compliant with other sets of industry standards.
Larger companies like Amazon Web Services (AWS) or Microsoft Azure will be aware of these requirements, but due diligence is necessary in all cases to make sure that the cloud providers’ controls align with government regulations applicable to you.
What are the benefits of cloud security compliance standards?
One benefit of adhering to your industry’s cloud compliance standards is that compliance will improve your cloud security. These standards are not arbitrary; they have been carefully developed to provide optimal customer data protection in the event of potential breaches.
Compliance can also have positive effects on your company’s reputation. Certification in the standards applicable to your industry can be a deciding factor in whether clients choose you or a competitor.
Finally, non-compliance can result in fines and lawsuits, as well as the cost resulting from disrupted operations. It’s in your best financial interest to assure compliance with any standards that are required of your company.
11 Steps to Cloud Security Compliance
Assess the Risk of the Information Shared to the Cloud
Assessing risk lies at the heart of network security compliance. Before deciding to use a cloud service, your organization should determine the types of information that it intends to store remotely.
If your assessment raises concerns about unacceptable risk, you might want to adopt a hybrid cloud approach and limit risk-sensitive processing to a private cloud or a physical server on premises (avoiding the introduction of new risk). Once you’ve established the information assets in your current control, you can begin to focus on the assets over which having less control would be acceptable.
Develop Policies Surrounding Information to be Shared to the Cloud
Creating a cloud security policy should be the second step in your cloud security compliance program. Once you have established the risks you are willing to assume, you need to make sure to place controls around these risks.
Once you have a policy in place, you can more easily determine what kind of cloud application can provide the best product to fit your needs. To choose a cloud provider, the organization needs to understand how it wants to maintain its assets. Before hiring a cloud service provider, the organization needs to understand the security practices and internal controls it wants to apply to the information.
Data encryption acts as one of the main protections against cybersecurity threats. In the cloud world, however, relying solely on your provider can prove risky. Using only the provider’s encryption may mean little if the cloud provider can be bullied into granting access or compelled to relinquish encryption keys by a foreign nation state.
Although many organizations may look to the “Bring Your Own Key” security method to protect the information, this can pose additional risks when loss or error prevents a business from decrypting its information, similar to traditional problems with username and password safety. Matt Landrock of Crytomathic writes in Digital Forensics Magazine that what he calls “manage your own keys” (MYOK) can provide some answers in the encryption area.
Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models: public, private and hybrid amalgamations of the two. MYOK systems enable users to address them all with cryptography, creating and managing keys regardless of the keys’ required shape, form, and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.
Assuring that your provider encrypts data may not be the best solution. This means that an organization needs to determine the best method possible for protecting sensitive data when using cloud providers.
Back Up Data
Cloud storage acts as a portable and speedy way to manage information. Any good cloud arrangement, however, should have controls for backing up data. Cloud storage provides accessibility and scalability only when the applications are running. In the event of an outage on the cloud application’s side, organizations investing in cloud storage need to have business continuity plans, disaster recovery plans, and backed-up data.
Set User Authentication Protocols
Authentication protocols may be one of the most important steps in cloud security compliance. Determining the appropriate authentication protocol revolves around the organization’s informational needs. Mutual authentication protocols require that you and your cloud service provider prove your identities to one another.
“Secret sharing” means that both sides of the partnership have information to complete the authentication. This can help protect against man-in-the-middle attacks, replay attacks, and denial of service attacks.
Smart cards and passwords require that the user have a card as well as a password to access the server and are better for resisting offline guessing attacks.
Elliptic curve cryptography consists of the initialization phase, user registration phase, and mutual authentication with key agreement phase. It can help protect against impersonation attacks, insider attacks, outside attacks, and attacks on mutual authentication.
Steganography has been used in cloud-based information communication systems. This authentication protocol embeds encrypted information into an image or other data piece to hide it from third parties, keeping malicious users from attacking the secret.
Setting the organization’s user authentication protocols is part of the decision to hire a cloud service provider. In addition, understanding the security framework the cloud service provider uses should be mandatory during the search process.
Review Your Cloud Service Provider’s Security Policies and Procedures
As mentioned above, ISO/IEC 27017 and ISO/IEC 27018 cover the information security code of practice for cloud services. The Cloud Standards Customer Council shares tips for customers trying to engage in cloud security compliance. It notes that cloud service customers should specifically look for providers conforming to ISO/IEC 27001 and 27002 standards. Despite these not being specific to cloud computing, the principles are applicable.
Due diligence in reviewing security policies and procedures also means reviewing your cloud service provider for being ISO/IEC 27017 certified as this is not required but becoming pervasive in the industry. In the same manner, if personally identifiable information is involved, cloud service customers should look for ISO/IEC 27018 certification.
Finally, when reviewing a cloud service provider for compliance, an organization should look at the policies and processes that affect security such as log retention policy, privileged access policy, and change management process, among others.
Review Your Provider’s Capabilities within the Context of These Policies
Reviewing provider capabilities means understanding the different types of cloud infrastructure that are available. Cloud services offer a wide range of capabilities, and understanding your needs will help choose the correct type. Cloud services are subscription-based, so understanding how you plan to use them and who should have access can affect the costs to your organization.
Software as a Service (SaaS) providers often use web browsers as their point of access. These are the most prevalent types of cloud services. Most people use these types of services either through Google Drive, Dropbox, or other cloud based applications.
Platform as a Service (PaaS) providers offer either a public cloud service or a private service inside a firewall. They create an environment for customers to develop, run, and manage applications without the hassle of having to manage the servers and databases.
Infrastructure as a Service (IaaS) means highly automated and scalable computing resources. IaaS services may be the most flexible model since they offer cloud servers and resources through a dashboard or API. These can be thought of as “virtual data centers.” In addition, unlike the other model, IaaS clients control their infrastructure.
Based on your risk assessment and cloud security policy, you can review your cloud services needs to assure that you’re purchasing the appropriate product.
Review Legal Implications of Breach by Cloud Provider
Reviewing the contract you make with the service provider is important to understanding the breakdown of legal responsibilities. Some cloud service providers don’t offer any transparency into their security programs, making it impossible to know whether they’re complying with the federal statutes and regulations.
Most state data breach responsibility laws focus on the data owner (that is, the company that collected the data in the first place) being responsible for notification. This role will be defined in the contract with the cloud service provider. Therefore, understanding the terms of the shared responsibility terms of your contract and the liability section of the contract is important when choosing your cloud service provider.
Confirm Ownership of Information Stored
Ownership of personal data falls within the purview of the cloud service contract. The ownership of data in the cloud becomes confusing when different stakeholders have access to it. While contract language is often standardized throughout an industry, reviewing the document in detail to protect your organization and its data can be the difference in being secure or not.
Review Security of Mobile Versions of the Application
Information and access portability drive the use of cloud services. You want your employees to be productive no matter their location. This means that part of the cloud security compliance process needs to include a review of the mobile application’s security.
Although no current security standard exists for mobile applications, the Open Web Application Security Project (OWASP) is currently working on a security standard and comprehensive testing guide. In addition, OWASP offers a downloadable mobile app security checklist to help navigate the review process. Using these resources can help determine the security impact of your cloud service provider’s mobile application.
Review Policies Surrounding Deletion of Information Stored
No one wants to keep information in perpetuity. This means that cloud security compliance needs to review the policies and processes for deleting stored data. Deleting information from the cloud is related to the record retention policies your provider has in place. In the same way that data encryption matters to the safety of your information, it can also present a headache when you want the information deleted.
If the data cannot be traced due to encryption, it might be difficult to trace its deletion. Some cloud platforms, however, have installed encryption keys that once deleted render the information unreadable. This can provide a second control over the deletion of information. First, the information is deleted. Second, the deletion of the encryption key associated with the information means that even if the information wasn’t deleted, the encryption makes it unreadable even to the original owner.
While cloud security compliance may seem to be a constantly moving target, ZenGRC can help. Our integrated software provides automation that helps you track your compliance requirements and efficiently assign responsibilities throughout your company, ensuring that every step is accounted for. Schedule a demo today to learn how ZenGRC can help streamline your company’s compliance efforts.