The Challenge of Compliance in the Cloud

By Trisha Paine, Head of Cloud Marketing Programs, published January 22 2020

Compliance programs are designed to address perceived threats or risks to an industry or community. Typically, an industry authority (e.g., government or industry consortium) sets regulatory standards in order to protect the target community in that industry. It does this by mandating regulatory requirements that have to be met by anyone providing service in that industry to the target community. The regulation authority may then set up regular audits to assess whether the provider of the service is still meeting these requirements – these are known as compliance audits.

Cloud technology is becoming a core part of many industries today, and with this comes potential risks; the aim of compliance programs is to address those risks. With stories of breaches and data loss constantly making headlines, it’s no surprise compliance programs are being examined for their value.

So, does compliance certification equate to security for those businesses that are uneasy with the adoption of cloud tech? The answer is not so simple.

The Value of Compliance

For those businesses just starting out with cloud technologies as well as those already heavily invested in the cloud, the perceived value of compliance is that their data—or their customers’ data—may be better protected in a compliance-certified environment. Compliance programs certainly want you to believe this is true; and from a logical standpoint, it’s easier to say that a deployment of applications and assets in the cloud that meets regulatory and compliance requirements is more likely to meet good security best practices than one that is not.

With compliance becoming increasingly important and expanding beyond specific industries, this has affected the public perception of its value. For companies seeking out cloud-based services, vendors that meet PCI (the Payment Card Industry standard), HIPAA (the U.S. government healthcare data protection standard), or SOC2 (a general technology auditing standard from the AICPA) compliance are often perceived as offering greater value—even if the organization does not particularly sense a threat or risk to their data.

This likely stems from the idea that some verified (audited) protection is better than none. Moreover, business threats or risks often involve third-party vendors or suppliers. Choosing a certified compliant provider thus gives some peace of mind.

Does Compliance = Security?

While the intention of compliance programs is to set standards for protection, the idea that compliance equals security is a misperception. There is no guarantee of security, and “compliance” should not be seen as synonymous with “security.”

While compliance programs help set a baseline for controls, these are based on “common” threat vectors. For example, a compliance standard may call for “strong passwords” to protect system access. This, however, does not stop the threat of attackers, who will find ways to avoid passwords entirely. Phishing attacks and other real-time incursions into business operations typically steal active credentials from a user session, allowing them to bypass password controls altogether.

Cloud-based breaches and other major reported security events that have been remediated have helped shape better cloud security practices and the development of better controls and automation as well as associated compliance programs. But it’s still important to understand that this is a reactive approach and does not offer solutions to potential unknown (zero-day), future threats.

Steps to Compliance in the Cloud

Implementing any compliance program in the cloud involves a number of steps, discussed as follows.

Step 1: Gaining Visibility of Assets

You can only protect what you know you have. With the cloud, virtualized resources are your assets. It is therefore imperative that all systems are well-defined and properly designed for scaling. For many organizations, asset monitoring and tracking is also a way to be more cost-effective, since operations should be designed to be scaled up or down as needed. Automation of cloud operations enables inventory and configuration of assets.

Step 2: Choosing the Right Compliance Framework

Compliance programs should be chosen based on industry specifications and market need. For businesses for which regulation standards do not exist, the needs of the customer base can guide the decision, as the customer may seek out vendors that meet standards relevant to their industry. Choosing common business standards, like the AICPA’s SOC2, may be a good starting point.

Step 3: Initial Assessment, Exclusions, and Customization

With any compliance program, it is worth examining how others have built solutions to meet the compliance frameworks. For instance, PCI frameworks indicate the need for specific cardholder data system components (rather than the entire network or interconnected system) to receive the bulk of the protections. This results in segmenting and firewalling portions of the system to isolate compliance controls to only those systems and data in the given scope. Customization of a system to meet compliance requirements may result in cost savings and efficiencies.

Step 4: Monitoring, Frequency of Continuous Assessment Checks, Integrating with Workflow Tools

The majority of compliance programs follow the model that controls should be operational at all times, and they must therefore be monitored to ensure this. In order to make it easier to meet these requirements, many businesses use tools to automate their workflows and ensure efficiency of their controls. This can be as simple as automating security tasks, such as adding or removing users of a system, or may involve complex workflows, such as combining order processing with multi-system confirmations to guarantee accuracy, privacy, and confidentiality.

Step 5: Automated Remediation

Systems operating in the cloud are considered more complex than traditional ones. Complex controls, such as high-volume logs and vulnerability monitoring, are often done via automation rather than manually in order to boost value and efficiency. However, it’s important to exercise caution with automation of monitoring actions, especially in cases where there is a high likelihood of false positives. For instance, this is where an IDS or WAF technology must be tuned carefully in order to avoid instances of accidental denial of service.

Step 6: Reporting and Auditing

In cases where the cloud implementation supports a compliant system (and thus a compliance program), implementation must include a way to report on its compliant controls. In some cases, this is outsourced to the cloud service provider (CSP) (e.g., physical security). In such cases, you’ll need to ensure your CSP provides regular, satisfactory reporting that these compliance controls are meeting your needs.

Your customers may also require this information. In most cases, customers will acknowledge your use of a specific cloud provider in the contractual agreement and that it is your responsibility to review and maintain the veracity of those third-party controls.

In many cases, the CSP audit reports are the only means to verify a vendor’s security controls. This is because the vendors do not have the operational capacity to allow each of their customers to audit them. It’s important to consider this as you evaluate the risk of any cloud vendor and follow up on any concerns regarding their compliance reports.

A final note on using your cloud service provider’s audit reports is that these are often sensitive and restricted use reports, and thus the ability to share this information with your customers is limited. Check with your legal or compliance team to ensure that you do not “claim” your CSP vendor compliance certification information as your own unless the CSP vendor has allowed it.

Changes in Cloud = Changes to Compliance

As the cloud industry grows, the effectiveness of compliance programs has been impacted. The purpose of the cloud, as defined by early adopters, was to provide “compute” resources to customers across the internet. While accurate, in the current era of business model offerings from giants such as Amazon (AWS), Google Compute, and Microsoft Cloud, this definition is incomplete.

Each of these large Cloud Service Providers (CSPs) now offers hundreds of unique services to address business and security concerns—and these have all had a major impact on almost every industry. As they begin to use cloud technology and meet the requirements of a compliance program, some companies may find the options overwhelming. Expert systems and automated software are becoming key components of security, compliance and governance in the cloud.

In addition to the challenges that come with industry growth, regulators of compliance programs now recognize the need to adapt to the new reality of cloud complexity. Common security assurance programs such as AICPA SOC2, PCI, and ISO27001 have—or will soon have —implemented enhanced security frameworks to address the needs of the cloud, including new technologies and security risks that this new cloud reality has brought with it.

Moreover, new privacy-oriented compliance regulations such as GDPR (General Data Protection Regulation, a recent EU Standard for privacy protection) and CCPA (the California Consumer Protection Act, a U.S. standard for privacy protection that went into effect in January 2020), are already making an impact, defining new business processes that may necessitate new cloud implementation strategies. Increasingly, businesses are seeking out cloud providers and service vendors that offer solutions to meet these compliance requirements.

Control Compliance

At the end of the day, compliance assurance (think monitoring and audits) is about the maturity of an activity to properly identify and protect data and systems. Every individual business requires a process for identifying risks and the controls to mitigate them. Be prepared to identify each control, map it to your requirements or risks, and document it. This habit will serve you well as you develop a security and compliance presence in the cloud.

This is particularly true as your compliance program takes into account security and technologies to facilitate compliance. For example, with a compliance requirement such as the need to “review all logs,” a SIEM or IDS would likely be used to review them and provide real-time alerts on potential risks, thus helping you meet the requirement.

But over time, systems change; and your control must be tuned to meet the modifications of components and event types. Your control inventory and documentation should be maintained as well.

Today’s environment of rapid and sophisticated cyberattacks requires automated tools to improve threat detection and response/remediation times. It’s also important to monitor these automated tools, which essentially become part of your threat-prevention “controls,” to ensure they have the correct settings. Additionally, you should check that the automation tools themselves are secure though hardening and testing.

Automated remediation should be prioritized based on the risk assessment and threat priority. For example, in the case of potentially high-impact, high-probability events, it is better to handle the incident with manual tools rather than use automation to mitigate this risk. For compliance programs that are uniquely oriented to specific risk scenarios (e.g., PCI and HIPAA), you should of course consider automated technologies to help address these.

Compliance Not a Cure-All

While compliance is no guarantee of security in the cloud, it can assist both the customer and the CSP in a common approach, with steps towards managing risk and applying relevant controls. The value of compliance programs is that they underscore the importance of data security to the cloud service provider and customer alike and typically enforce a minimum level of security controls.

However, it is important that complexities introduced by the cloud are appropriately managed.  Security constructs, such as virtual networks, containerization, microservices, virtual firewalls and other cloud-based offerings, are not as easily managed as a traditional environment. And compliance requirements do not always reflect the complexities of new cloud systems or indicate where problems with traditional security approaches do not work as well in the cloud.

Call to Action

We started with a question about how businesses approach security and compliance in the cloud. Cloud offerings are changing regularly, and security and compliance solutions in the cloud are being rapidly adopted. For companies who are serious about security and concerned about compliance, there is a path to achieving both with the cloud, but it will require awareness, education, and appropriate approaches to ensure against missteps.

Automated tools and vendor-provided frameworks can make some of the challenges of cloud security easier by providing expert systems of automation and compliance frameworks to help you be compliant in cloud environments. Expert tools, such as CheckPoint CloudGuard Dome9, provide a bridge to ensure that security requirements are monitored in cloud technologies. For instance, CloudGuard Dome 9 is a platform for users of cloud services from Amazon (AWS), Google (GCE), or Microsoft (Azure) that provides a way to assess your security posture against compliance requirements, detect misconfigurations, then monitor and enforce your actual compliance.  With tools like these, companies can improve confidence in security approaches and protect against identity theft and data loss in the cloud.