Maintaining compliance while ensuring security in a cloud environment

By John Christly, CISSP, CCEP, CFE, Security Architect, Summit7

We’ve all heard the statement that goes something like “you might be compliant but that doesn’t necessarily mean you’re secure”, and conversely you could also say it that you could be “secure but that doesn’t necessarily mean you’re compliant”. The whole idea of remaining secure and still being compliant with applicable laws and regulations becomes even more interesting when your company moves its systems or your customer systems to a cloud environment.

Many of the leading cloud providers have some great capabilities that can be implemented to help keep your systems, applications, and data secure and in turn these efforts can help keep you compliant. But these capabilities must be understood and implemented properly for them to be effective, and this is where many companies have a hard time understanding what needs to be put in place, and even what can be put in place to help with these efforts.

It starts with an understanding of what needs to be in place to be secure and compliant. It helps to start with understanding what state and federal laws you may have to comply with based on the type of data you may be handling for your company or on behalf of your customers. For example, most every state in the United States has their own version of a privacy law that mandates notification to certain agencies and affected parties in the case of a data breach. IAPP maintains a great resource on this here:

It is important to understand what the requirements of individual state laws are so that you know how to properly respond in what kind of time frame you must do so and the unfortunate case that you experience a breach of consumer data for consumers that are in a particular state. Some of these laws include a very short time window for reporting a confirmed breach, so its important to understand these requirements and to practice your response plans as part of a regular tabletop session with those within your company or with your vendors that would be responding to these types of events.

The next thing that you will likely want to examine our what kind of compliance mandates your company has decided that they either want to comply with or need to comply with based on contractual requirements. These could be regulations such as PCI compliance for processing credit cards, Fed Ramp compliance for handling government data, or even regulations like HIPAA, HUTRUST, or GDPR – to name a few. Always having an inventory available that lists for you the various compliance and regulatory mandates that you and your company must follow is very important when you put together your GRC program so that you can try your best to “document once and comply many”.  While there’s not always a direct correlation between some of these regulations that is easily mapped, there are likely ways to get some economies by trying to document properly and have your procedures in place so that when it comes time for them to be examined for a particular compliance mandate, you’re in better shape than if you had not done this exercise in the first place.

When it comes to hosting systems in the cloud, compliance can either be much easier to do, or very difficult to do if you don’t understand the abilities that a cloud provider may have for you that you can utilize to help your compliance efforts. for example, a cloud provider may provide data loss prevention and data classification tools that you can utilize to help better classify the data that your company handles and to provide ways that your users can help your compliance efforts on a day-to-day basis. Again, these types of tools are only effective if they are well understood by the people that need to implement and use them, and only if you can effectively socialize the use of them within your company.

When it comes to security controls in a cloud environment, there are those that believe that if done properly, you can secure systems in the cloud as good if not much better than when they were hosted on premise on your own systems. Cloud providers typically will provide various tools and methods for you to help secure your applications and your data, but again it takes a good understanding of the fact that these tools exist, as well as how to properly enable them and utilize them without interrupting the workflow of your company so that they can be effectively utilized.

To start with a good example of tools available, most cloud providers offer you the ability to encrypt your data in transit and at rest. While encryption cannot necessarily give much protection when someone has authenticated access or physical access to your data, it’s certainly is a best practice to encrypt your data whenever possible. you should also ensure that your encryption methods that you select are as up to date as possible so that you avoid using outdated encryption methods that have proven to be not effective or easily broken. Many data breaches that have been widely published from cloud-based systems include the fact that storage areas were left unsecured and open to those that sought to steal the data.

Certain cloud providers can even provide services that can help keep track of data as it is accessed, shared, and changed. This is an important feature if you want to keep a good handle on your company data and where it is utilized within your company and who it may be shared with outside of your company. when it comes to trying to keep track of data that may be taken by a former employee as they depart your company, these kinds of tools can prove to be extremely valuable to investigate misuse or theft of your company intellectual property.

Another important aspect of migrating to the cloud and operating in the cloud going forward is vulnerability management. Depending on how your cloud instances is set-up, a cloud-based system can either expand your digital footprint or reduce the amount of information that is exposed to the outside world.  it is vital that you keep a close eye on the vulnerabilities that exist in your applications, your firewalls, your servers, and your computers that your users use. some cloud providers may offer built-in vulnerability scanning and reporting, while other cloud providers may have you rely on 3rd party applications to be able to scan and report on vulnerabilities. either way it’s very important that you have a repeatable process in place to be able to know about new vulnerabilities as they appear in your systems, and to have a process in place to quickly resolve issues that you find out about so that they don’t exist for a longer than needed, and so that they don’t give attackers a way of getting into your company and getting to your company data.

In summary, cloud providers can usually offer a great deal of tools that you can utilize if desired to help you be more compliant and more secure. many vendors are skilled at helping customers migrate to the cloud and also to utilize built-in or third-party tools to help you or your customers apply compliance and security policies and procedures.

Hot Topics

Related Articles