Learn how to maintain the speed of cloud operations in the face of regulatory complexities.
Rapid7 Cloud Risk CompleteCloud compliance – or cloud security compliance – is the process of ensuring cloud environments, and the operations that occur within them, adhere to specific regulatory standards affecting the industry in which a business is operating. There are typically a number of cloud compliance standards to which a business must align, and it is incumbent upon security compliance personnel to configure and use cloud services in a way that complies with the applicable directives contained within the Cloud Security Alliance Cloud Controls Matrix (CSA CCM).
According to the Cloud Security Alliance, “the CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.” Therefore, depending on the industry a company is engaged in, there are powerful pre-existing frameworks teams can follow to ensure they stay compliant as the majority of their operations move into the cloud.
Automating cloud compliance wherever possible is necessary in today’s environments, especially in heavily regulated sectors like healthcare, financial services, and energy. Worthwhile cloud compliance tools should be able to detect compliance drift from the specified organizational standards and quickly reset environments to an overall “state of good.” This not only saves time and money, but can lower the chances of getting run afoul of regulatory bodies.
From state/territory-specific to nationally recognized compliance standards affecting multiple industries, there are many legally required – and some heavily suggested – regulatory frameworks out there. Let’s take a look at some of the more commonly known standards to which a wide swath of overall global commerce must adhere:
These benchmarks are created by the Center for Internet Security (CIS), a not-for-profit organization that helps organizations improve their security and compliance programs. The CIS aims to create community-developed security configuration baselines, or CIS Benchmarks, for IT and Security products. The benchmarks span applications, cloud-computing platforms, operating systems, and much more.
The EU General Data Protection Regulation (GDPR) requires the protection of personal data of EU citizens, regardless of the geographic location of the organization or the data. This includes technical and organizational measures that are regularly updated to ensure the amount of security is appropriate to the current level of risk.
The Federal Risk and Authorization Management Program (FedRAMP) is a US federal government initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP’s aim is for companies to leverage modern cloud solutions and technologies safely and securely – particularly where federal information is involved.
This particular standard comes from the American Institute of CPAs (AICPA), and defines reporting guidelines for how businesses should manage customer data. These reports can help organizations manage vendor supply chains, implement risk management processes, and more. They are aimed at a wide swath of stakeholders and should contain digestible, standardized language.
The Health Insurance Portability and Accountability Act (HIPAA) requires businesses that handle patient medical records and other protected health information (PHI) to effectively safeguard that information against security breaches. The HIPAA Security Rule details administrative, technical, and physical controls for electronic PHI (ePHI). Due to the sensitive nature of the data the standard covers, the US government required compliance with the security rule in 2005. Of particular note, HIPAA Part 2 was issued in 2022 and essentially protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”
ISO/IEC 27001 is a cloud security compliance management standard jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001 specifies security management best practices and comprehensive security controls for information security management systems. It is an optional standard that some organizations choose to implement, both to benefit from the best practices it contains and to reassure customers that a comprehensive risk management solution is in place.
To take that last point a bit further, it’s often a good idea for an organization to take a compliance program a step beyond what’s required, instituting additional measures specific to their business needs and unique environment. Building these types of custom guidelines to overlay onto existing compliance programs is a proactive measure that will yield benefits beyond simply remaining compliant to the required regulations.
Things have changed from the days of old when cloud operations were novel and no one understood the complexity of tuning those operations to their specific organization or remaining in compliance with regulatory standards of the day. However, there are complexities to be aware of that come with the many benefits of a move to cloud operations.
As an organization undergoes a “great transformation” into cloud operations, a key challenge is a lack of unified visibility across its environments. This issue can and does also extend to human users, as far as keeping track of who has access to data, where they can access it, and how frequently they’re doing so.
Cloud breaches are most commonly caused by misconfigurations. Gartner has even noted that 95% of cybersecurity breaches are caused by cloud configuration errors. Some are caused by humans, others happen because there is an assumption that defaults in the platform will catch issues, and still others come from the desire to make resources easier to access. Organizations must implement controls to prevent or detect and remediate these errors to avoid a data breach.
Oftentimes, third-party auditors must attest to the controls an organization has put in place that help it align with certain regulatory standards. Upon request, organizations must provide letters of attestation from those third parties that validate secure cloud operations practices, as well as certifications that they meet certain sector-specific regulatory standards. Certifications are typically good for several years, while attestations speak more to the continuous and ongoing nature of compliance.
Accelerating into the cloud without caution often brings complexities that can cause more harm than good. Cloud environments are extremely ephemeral, while legacy/on-prem systems are much less so. When an organization accelerates into the cloud, they often don’t know exactly what to do with those legacy systems, but they still have to be managed. This is where things can get tricky for a DevOps team. Making things even more complex are exemptions – a resource or workload that is exempt from a given standard. The lack of a mechanism to exempt a resource can lead to many false positives that could cause unwanted and costly disruptions.
Let’s now take a look at some best practices and overall good hygiene that can counteract some of the bigger challenges in aligning to regulatory standards and maintaining compliance in the cloud.
Data encryption transforms the original format of the data into something that is unreadable. Services like Google Cloud Platform (GCP) always automatically encrypt customer data after it is received, but before it is written to disk and actually stored. Another example is that of credential encryption by cloud security providers; there are often several layers of decryption that must occur before those credentials can be used.
Speaking of credentials, the principle of least privileged access (LPA) ensures that access is granted to only the humans or programs that absolutely need to work on a specific task in the cloud. Solutions leveraging LPA will typically employ automation to tighten or loosen permissions based on the user's role.
Implementing the concept of zero trust is a handy way to help keep a cloud environment ultra secure. Every human, endpoint, mobile device, server, network component, network connection, application workload, business process, and flow of data is inherently untrusted. They each must be continuously authenticated and authorized as each transaction is performed, and all actions must be auditable in real time and after the fact.
The principle of a well-architected framework in cloud operations essentially contends that there should be an agreed-upon approach for stakeholders to implement and evaluate a cloud architecture that best suits their business needs and priorities. The AWS Well-Architected Framework is perhaps the most well-known example of this principle, and enables customers to identify high-risk issues.
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends