Compliance and the Public Cloud

The cloud is a transformational system, allowing the outsourcing of traditional on-premises IT services. Its economic and technological success is due, in part, to its ability to solve tough issues like compliance.

Compliance and Public Cloud Providers

Public cloud providers are keenly aware of the need to address security and compliance controls within their offerings. Initial efforts in providing security and compliance programs met some challenges, but the largest providers have made deep investments into improving the compliance certifications of their environments. This includes addressing the requirements of a variety of industries: payment cards (PCI), health care (HIPAA), and federal (FedRAMP), as well as other common certifications, such as ISO 27001 and AICPA SOC2.

Additionally, organizations such as the Cloud Security Alliance (CSA) developed compliance mappings of security controls common to the compliance programs. The early efforts to certify environments were designed to help not only organizations considering migration to the cloud, but also compliance auditors who had to evaluate how a company could “certify” when their controls were split between traditional company controls and third-party vendors.

Today, most cloud providers provide security and compliance information via a number of web resources discussing the ways in which the provider is addressing security as a core function of its services. Additionally, customers can request current compliance assessments from third-party auditors, and sometimes, case studies on how to deploy and adopt services in a high-security manner.

Steps to Take Before Migrating

Cloud service providers have steadily improved technology and architectures to provide a means to migrate and deploy hosted services. The evolution of technologies has led to a number of standard services that now help define secure methods of storage, processing, and hosting in order to adapt to changes in enterprise needs such as demand leveling, security, and compliance.

However, before the process even begins, there are several important steps you must take.

Understand Your Responsibilities

Migration to the cloud removes some of your organization’s compliance responsibilities, but not all of them. Some controls are outsourced to the providers (who then assume responsibility for them), but some cannot be delegated.

Therefore, before migration even begins, you should ensure that you understand where risk responsibility is transferred to the vendor, and where it is not. Most cloud vendors provide their customers with information that explains how their security and compliance programs operate in relation to their services. Here are the big three:

• Amazon Web Services: security, compliance;
• Google Cloud Platform: security, best practices;
• Microsoft Azure: Security Center documentation, compliance.

It is also wise to review reports from independent compliance auditors (for example, SOC2 attestation) for the cloud platform that you will be using. Large cloud providers do not allow customer organizations to audit their facilities and service programs, so for some aspects of compliance, the auditors will be your primary source of information.

Assess Your Organization’s Readiness

To prepare for the adoption of cloud resources and services, many organizations find they have to realign their assumptions of risk, as well as the architecture of their traditional networks and systems. For instance, moving a traditional system architecture to the cloud might require the redevelopment or transformation of web services to address access and authentication, architecture of microservices, redevelopment of encryption, and auditing. New networks in the cloud typically require different solutions for threat protection and monitoring, backup and recovery technology, and web-system resilience.

Regardless of the level of cloud adoption, a security-minded organization will have to address a number of significant changes to security technologies and compliance program controls. This will vary based on the type of cloud services selected, but keep in mind:

• Most compliance programs require you to identify those mandatory or required controls (from your security and compliance program) that are now being provided by the cloud provider.
• From a compliance perspective, you may need to increase the number of controls to address your supplier/vendor security risk.
• The importance of controls will change as your organization moves services to the cloud. This is because certain risks may increase due to the nature of third-party processing. Expect higher risks to certain controls, such as access and authorization for privilege accounts, encryption key management, and auditing/monitoring functions. Other controls that were high risk in traditional environments may be reduced, such as network infrastructure monitoring.

Understand the Architecture

Make sure that your security and compliance-responsible personnel understand the technology and services of the cloud provider. Some security controls are commonly considered to be better with cloud architectures; nevertheless, don’t fall into the trap of relying on a third-party control without understanding its implementation.

Assess the Mid-Migration Challenges

Even with the ability to move entire on-site networks into the cloud, many organizations are throttling cloud adoption into stages — often to hold back the most important assets (systems or databases) — to mitigate possible risks. The result is often an architecture that is challenging to traditional security and compliance efforts.

You might need to evaluate the costs versus benefits of breaking up a migration into small stages.

Assess the Post-Migration Risk

When planning a migration, reexamine your threat model and overall architecture within the proposed cloud solution. Even with “standard services” from cloud providers, your organization will create a unique architecture. Evaluating it carefully will help to reveal possible areas of risk.

Anticipate and Solve Security Needs

While assessing the “standard services” mentioned above, remember that some cloud providers offer security products, but these are not comprehensive solutions. Although they can simplify some aspects of web security, they do not provide full protection (nor are they meant to do so).

For a fully secure, compliant environment, your organization will need to add additional security measures beyond the ones offered by the cloud platforms.

Here’s more information about augmenting the security products from GCP and AWS:

• Google Cloud Armor: How to convert it into a full security solution
• AWS WAF and AWS Shield: Are they enough to secure your environment?

Consider the Auditability and Transparency of Controls

While the cloud can simplify your solution from a support/resource perspective, you may need to closely reexamine your security posture, depending on your solution. If you are in a compliance-strong industry (for example, retail, healthcare, or government), your solution will probably pass audits of required controls. If the solution changes scope or assumptions of prior audits, the certification process may have to be reset.

Conclusion

Outsourcing networking, systems operations, and data hosting to a cloud service provider challenges our legacy methods of protecting data systems (which are based on the ability to physically control them). In fact, compliance programs that drive our security programs often have roots in technologies and methods of data processing that assume on-site networks, client-server architecture, and physical controls.

The good news is that public cloud providers address security and compliance concerns through a variety of materials, videos, and documents. Customers have both a challenge and a responsibility to dig into the technologies, security features, and architecture of their cloud-enabled systems in order to ensure security is maintained, and that compliance is achieved.

Reblaze has a large number of customers in regulated industries, many of whom we have assisted through the migration process. If your organization is considering or planning a migration to the cloud, we’re happy to help. You can contact us here.

image credit: Helloquence via Unsplash