A theme across many of our cloud articles is the importance of compliance. Old myths that the cloud was not tailored for compliance were a huge reason so many people stayed away from it in the early days. However, there are so many tools today for compliance tailored specifically to the cloud, and even the public cloud. The challenge now is how to bring the right tools together to achieve the compliance your applications need based on your business. Do you need HIPAA compliance because you’re in healthcare? Do you need PCI compliance because your site accepts payment information? Are you in the public sector and you have to follow FedRAMP regulations? If you have a compliance team that knows all the right tools, go forth and conquer. If you don’t, it is imperative to find the right CSP (cloud service provider) that provides compliance services to put the puzzle pieces together for you. They will ensure you fully meet the compliance requirements your organization needs in the right cloud for you.
3 things to consider when looking to achieve compliance in the cloud:
What compliance standards are you really needing to comply with?
Sometimes companies assume they need to be compliant with certain standards when they really don’t. An example is a company that accepts payments on their site in the cloud, but doesn’t store credit card numbers or have a service that accepts the payments for them not directly tied to their site. They may think they need to be PCI compliant, but unless you are storing credit card information, that is technically not the case. Now, I would never be a proponent of not following any compliance regulations especially in the cloud just because you aren’t required to follow any of them. Many of them provide a great framework to ensure your customer’s data is protected and your site or application is secure in the cloud. Just ensure you evaluate the right compliance standards for your application, or site, as the effort to achieve and maintain those standards will be significant. Again, this effort is well worth it as long as it applies to your needs.
Establish the core criteria for security within the standards.
This is where the rubber meets the road, plain and simple. You can choose compliance standards, you can report on them, you can even pass audits on them, but if the security tools aren’t implemented correctly you can still find your data vulnerable. Some companies do a great job building things in the cloud like IDS (intrusion detection systems), FIM (file integrity monitoring), or full systems logging, which are all very important, but mean nothing if the data isn’t reviewed. These tools are great and provide valuable information, regardless of what cloud you utilize to notify you of possible vulnerabilities, but if you do not have a team, usually a SOC (security operations center), monitoring those logs and acting on them they mean absolutely nothing. Plus, you wasted a significant amount of money purchasing the tools for them to go to waste. That being said, ensure that you have a clear criteria outlined to guarantee you are providing a full security lifecycle. The lifecycle should include build, monitor, review, react, update and continually improve proactive measures.
Report, review, and audit!
The final piece of the compliance process is to implement what I like to call the RRA (report, review, audit) process. Report addresses the data that needs to come out of your security tools from the SOC team. How are they doing responding to incidents? What are the trends coming in? How are they becoming more proactive in their security efforts, and how effective are we at protecting our data? Beyond reviewing all of that, the next step is to review how all of the processes and procedures the team is utilizing are matching up to the compliance standards you chose to follow. Any standard usually has a spreadsheet you can utilize to ensure that you are meeting each item required within the standard. There are also GRC (governance, risk management and compliance) tools out there, like Allgress, that can simplify it in an online dashboard. Finally, there is the audit piece. This piece is critical and I cannot stress enough how important it is to spend the money to have an eternal auditor complete an audit of your compliance. Internal teams can overlook certain things that could make you vulnerable, while quality external auditors will provide you with a list of findings to address to strengthen your compliance stance.
So, there it is, a clear path to compliance in the cloud. Again, if you have the team in house ready to handle this endeavor, that is great, but with all of the tools out there for compliance in the cloud having a CSP help in some, or all of it, really can help you in the long run. They go through all of this daily for hundreds, if not thousands, of companies just like yours and can bring guidance and expertise that even your most experienced team members might not be able to do. At the end of the day, follow the 3 key items above; find the right compliance standard(s), establish the core criteria for the security required to meet the compliance standards, and RRA. If you follow these steps properly you should be able to create a secure, complaint cloud solution that will allow your IT team and customers to sleep well at night knowing it is fully secure, even in the “precarious” cloud!