Last updated on May 17th, 2023 at 12:57pm
The cloud promises unprecedented speed, agility, and flexibility for businesses; however, storing, processing, and otherwise transmitting sensitive data through a third party, such as a cloud service provider (CSP), comes with numerous inherent risks. Here are some challenges to consider when it comes to operating with your data in the cloud:
The public cloud can have a larger attack surface, increasing the likelihood of breaches.
Cloud services introduce multiple challenges to traditional identity and access management (IAM) practices.
In the cloud, there is a shared responsibility for compliance.
There is a lack of visibility and control of your data. For example, are activities/changes in cloud-based systems logged?
What Is Cloud Compliance?
Cloud compliance is the practice of ensuring that cloud environments comply with the required regulatory frameworks and compliance standards of the industries and customers they support.
For example, you or your customers may have to comply with regulations around data protection, such as HIPAA, PCI DSS, SOC2, ISO 27001, NIST, FedRAMP, and more. Cloud compliance is about how to satisfy and maintain those requirements despite the changing needs of the business, environment, or the standards themselves.
Who is responsible for compliance in the cloud?
Compliance in the public cloud is a shared responsibility between the customer and the cloud service provider. AWS, Microsoft Azure, and Google Cloud have shared responsibility models that delineate what each party is responsible for as it pertains to cloud compliance. AWS states
“This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.”
An easy way to differentiate between who is responsible for compliance in the cloud is that the CSP is usually responsible for the “security of the cloud” while the customer is responsible for “security in the cloud”.
This means that the CSP will be responsible for securing and maintaining compliance for infrastructure that runs all of the services offered in the given cloud service; the hardware, software, networking, and facilities that run the CSP’s cloud services.
Customer responsibility varies based on many factors, including the services and regions they choose, the integration of those services into their IT environment, and the laws and regulations applicable to their organization and workload.
For example, services categorized as Infrastructure as a service (IaaS) are responsible for things like the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on any instances, and the configuration of the firewall provided by the CSP.
It is important to understand the shared responsibility model of the CSP(s) you’re using. Once a customer understands the respective shared responsibility model and how it generally applies to operating in the cloud, they must determine how it applies to their specific use case.
You can reference the shared responsibility model of the three major CSPs here:
Key Components of a Cloud Compliance Framework
The cloud offers accessibility, but it also creates open, decentralized networks with increased vulnerability if not configured properly.
The purpose of cloud compliance frameworks is to guide architects in best practices to avoid vulnerabilities and security pitfalls. Aligning internal security policies to cloud compliance frameworks helps mitigate the risks of operating in the cloud.
Governance
Cloud governance is a defined set of rules and policies that dictates how a specific organization will operate services in the cloud. As more and more organizations adopt the cloud, it is imperative that forethought be given to how a given organization will effectively and safely use the public cloud.
The cloud makes it easier for teams and individuals to deploy assets and provision infrastructure at the press of a button. Essential areas of cloud governance include:
Asset management: Take an inventory of all cloud services and related data. Then define configurations to prevent vulnerability.
Cloud strategy and architecture: Characterize the cloud structure, ownership, and responsibilities and integrate cloud security.
Financial controls: Develop processes for requesting and purchasing cloud services, allocating budgets, associating costs, and balancing cloud usage with cost-efficiency.
Change Control
Two of the desired outcomes for organizations moving to the cloud are speed and flexibility. This inherently makes change control difficult. Without proper change control, organizations risk misconfigurations in the cloud.
Organizations should consider leveraging automation to place guardrails to prevent unwanted changes, continuously monitor cloud configurations for issues, and proactively remediate misconfigurations before they impact productivity.
Identity and access management (IAM) controls frequently experience changes in the cloud. To best manage changes and ensure the integrity of IAM controls, organizations should:
Continuously monitor root accounts, for example, IAM Users in AWS, as they can allow unrestricted access. Disable them completely or use as few of them as possible with associated monitors and alarms and always require multi-factor authentication (MFA).
Utilize role-based access and group-level privileges. Only grant access if there are justified business needs and only grant the minimum level of privileges necessary..
Disable dormant accounts and implement effective credential and key management policies.
Monitoring
Continuous monitoring and logging of all activity are extremely important due to the complex nature of the cloud. It is impossible to manually track everything.
Capturing the who, what, when, where, and how of activities not only helps organizations be audit-ready but is the primary means of verifying adherence with various compliance frameworks.
Proper alerting to escalate risky behavior is paramount for security. When configuring monitoring and logging in your cloud environment, it’s vital to:
Enable logging on all cloud resources.
Define metrics and customize alarms to avoid alert fatigue.
Encrypt all logs and don’t store them in public-facing storage.
Reporting
Reports provide current and historical proof of compliance. These reports can be thought of as a compliance footprint for your cloud. These are necessary components to completing most compliance audits as they provide a complete timeline of all events in a given period. They also serve as critical evidence should a security incident occur.
Why Implementing a Cloud Compliance Framework is Important
Compliance frameworks provide a vetted philosophy and best practices to operate safely and securely in the cloud to garner the trust and confidence of your customers.
For example. if your organization wants to conduct business with the federal government, achieving certain cloud security certifications is one of the requirements for procurement. Cloud compliance frameworks provide the guidelines and structure to maintain the level of security to navigate regulatory requirements and avoid financial and reputational damage from non-compliance.
Implementing compliance frameworks allows your organization to demonstrate competence and commitment to your customers, boost credibility, and open new business opportunities.
How to select an appropriate standard?
IT leaders should consider what regulatory industries govern their customers and the requirements customers will expect from their vendors. It is also wise to look at the standards being used by major cloud service providers, such as AWS, Google, and Microsoft. No matter which standards you select, they should align with your business objectives and serve the needs of your customers.
Who develops and maintains cloud compliance standards?
International Organization for Standardization (ISO)
ISO is one of the primary standards-making organizations in the world. It develops standards for many different kinds of technologies and systems, some examples of relevant IT standards are:
ISO/IEC 17789:2014, Information technology -- Cloud computing -- Reference architecture. This standard defines cloud computing roles, activities, and functional components, as well as how they interact.
ISO/IEC 17826:2016, Information technology -- Cloud data management interface. This standard pertains to systems developers implementing and using cloud storage.
ISO/IEC 18384:2016, Information technology -- Reference architecture for service oriented architecture (SOA). Defines the guidelines, vocabulary, and general technical principles underlying SOA.
ISO/IEC 19086-1:2016, Information technology -- Cloud computing -- Service level agreement (SLA) framework.Framework for preparing SLAs for cloud services.
ISO/IEC 19941:2017, Information technology -- Cloud computing -- Interoperability and portability. Interoperability and portability aspects of cloud computing.
ISO/IEC 19944-1:2020, Cloud computing and distributed platforms -- Data flow, data categories and data use. How data moves among cloud service vendors and users of cloud services.
ISO/IEC Technical Report 22678:2019, Information technology -- Cloud computing -- Guidance for policy development. Guidance for developing cloud-focused policies.
ISO/IEC Technical Specification 23167:2020, Information technology -- Cloud computing -- Common technologies and techniques. Technologies and techniques used in cloud computing, including VMs, hypervisors, and containers.
ISO/IEC 27017:2015, Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Guidance on the infosec aspects of cloud computing and cloud-specific infosec controls.
ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. Guidelines based on ISO/IEC 27002, on the protection of PII in public cloud environments.
European Telecommunications Standards Institute (ETSI)
ETSI primarily develops telecommunications standards. Its cloud-specific activities are Technical Committee CLOUD, the Cloud Standards Coordination initiative, and the Global Inter-Cloud Technology Forum, each of which addresses cloud technology issues.
Organization for the Advancement of Structured Information Standards (OASIS)
OASIS is a nonprofit organization that develops open standards for a variety of technologies including security, cloud technology, IoT, content technologies, and emergency management. Its various cloud technical committees include OASIS Cloud Application Management for Platforms, OASIS Identity in the Cloud, and OASIS Topology and Orchestration Specification for Cloud Applications.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce and develops standards primarily for use by various levels of government but widely adopted by private industry. Its Special Publications (SP) Series of standards, including the following, is used extensively in both public and private sectors:
NIST SP 500-291 (2011), NIST cloud computing standards roadmap. This provides a compilation of available standards on cloud computing and examines standards priorities and where gaps in the standards exist.
NIST SP 500-293 (2011), U.S. government cloud computing technology roadmap. A detailed framework and structure for cloud computing infrastructures within the United States Federal Government.
NIST SP 800-144 (2011), Guidelines on security and privacy in public cloud computing. Guidance and recommendations for implementing a secure environment in public cloud services.
NIST SP 800-145 (2011), The NIST definition of cloud computing. A benchmark for comparing cloud services and deployment strategies.
NIST Standards acceleration to jumpstart adoption of cloud computing. Three primary activities to accelerate the use of the cloud. One, it recommends existing standards. Two, it coalesces contributions from other organizations into cloud specifications. And three, it identifies gaps in cloud standards and encourages outside firms to fill the gaps.
NIST Cloud computing program. This program defines a model and framework for building cloud infrastructure and includes multiple advanced technical characteristics.
Open Commons Consortium (OCC)
Formerly known as the Open Cloud Consortium, OCC provides management of cloud computing and data commons resources -- an open knowledge repository -- in support of academic and scientific research.
Common Cloud Compliance Frameworks
The following frameworks are especially related to cloud compliance requirements. These standards are regularly employed by cloud vendors and customers alike.
Cloud Controls Matrix (CCM): The Cloud Security Alliance maintains the Cloud Controls Matrix that provides a basic guideline for security, bolsters the strength of security control environments, and simplifies audits.
FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP)’s purpose is to ensure all cloud deployments used by the Federal government have the minimum level of required protection for data and applications.
ISO 27001: Developed by the International Organization for Standards, this set of standards for information security management systems demonstrates that your organization operates within the best practices of information security and takes data protection seriously.
NIST Cybersecurity Framework: This foundational policy and procedure standard for private sector organizations appraise their ability to manage and mitigate cyber-attacks. A best practice guide for security pros, this framework assists in understanding and managing risk.
CIS Controls: Created by the Center for Internet Security, this framework delivers actionable defense practices based on a list of Critical Security Controls which focus on tightening access controls, defense system hardening, and continuous monitoring of environments.
Continuous Diagnostics and Mitigation (CDM) program: An initiative by the United States federal government to enhance the security of their information technology infrastructure. The primary purpose of the CDM program is to provide a comprehensive, risk-based approach to cybersecurity. It focuses on identifying and mitigating cyber threats through continuous monitoring, real-time risk assessment, and prioritized remediation. The goals of the CDM program are to reduce the attack surface, provide better visibility into the network, enhance risk-based decision-making, and improve the efficiency of cybersecurity operations. The CDM program offers a standardized and consistent approach to cybersecurity across federal agencies, and it is intended to help federal organizations rapidly detect and respond to cyber threats in a more proactive and efficient manner. Kion is a DHS-approved product that provides the core functionality needed to achieve the CDM cloud infrastructure security requirements across all phases.
Cloud Service Provider Recommended Frameworks
These frameworks are provided by the CSPs themselves and can be considered best practice guidelines for cloud architects. These seek to address areas of operational efficiency, security, and cost-value considerations.
AWS Well-Architected Framework: As AWS states “The AWS Well-Architected Framework describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.”
This framework is derived by answering a few foundational questions to align customer architecture with best practices and provides AWS customers with a solid resource to evaluate current and future architecture.
Six key principles guide Amazon architects—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. Kion is recognized in the Management and Governance Cloud Environment Guide of the AWS Well-Architected Framework.
Google Cloud Architecture Framework: The Google Cloud Architecture Framework provides recommendations and best practices to help cloud practitioners design and operate a cloud topology that's secure, efficient, resilient, high-performing, and cost-effective. The guidance applies to applications built for the cloud, as well as workloads migrated from on-premise to Google Cloud, hybrid cloud deployments, and multi-cloud environments. The Architecture Framework is organized into six pillars: architecture system design, operational excellence, security, reliability, cost optimization, and performance optimization. The framework is supported by open discussion forums, practical guidance, and expert recommendations from the Google Cloud Community.
Azure Well-Architected Framework: The Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of cloud workloads on Microsoft Azure. The framework consists of five pillars, which are reliability, security, cost optimization, operational excellence, and performance efficiency. By incorporating these pillars, practitioners can produce a high-quality, stable, and efficient cloud architecture that meets specific requirements. The framework includes six supporting elements, such as the Azure Well-Architected Review, Azure Advisor, and Reference Architectures. Azure Advisor and Advisor Score align to the five pillars of the Well-Architected Framework and are free to all Azure users.
Your organization will likely need to adopt many cloud compliance standards based on the size and complexity of your cloud environment, the nature of your business, and the industries and customers you serve. Many standards have related or overlapping requirements which means you can often reduce the amount of effort needed to become compliant through detailed planning and execution. At times, it may be necessary to bring in external expertise to properly structure your cloud compliance strategy.
How To Ensure Continuous Cloud Compliance
Conduct a network security audit
What is a cloud audit?
One way to assess the level of compliance with laws, regulations, and contracts is to undertake an audit. Audits can be internal or external. An internal audit is an audit that is conducted by auditors to provide a self-assessment of your level of compliance.
Internal audits are typically conducted as a baseline when seeking to improve compliance or undertake large change management projects. To assess and certify against a given compliance standard, usually, an approved independent auditor conducts an assessment of the requirements contained in a given standard and produces a report that certifies compliance to the given framework.
Continuous Monitoring
The challenge many organizations face is that following an audit it is difficult to maintain a compliant posture due to organizational and operational changes.
Continuous monitoring of the cloud environment and the changes to the organization’s compliance posture are essential to maintaining compliance between audits. Businesses need the ability to visualize and model changes and the ramifications to their security posture that continuous monitoring provides.
Compliance Solutions
Kion provides the proactive boundaries and reactive detection and reporting to ensure compliance - and the auto-remediation to help you end the grunt work. If you'd like to see a demo of Kion or learn more about how to implement continuous compliance in your organization, speak with one of our experts.
About the Author
Austin Fuller
Austin has nearly a decade of experience in enterprise software and cybersecurity and is an AWS-certified cloud practitioner.
