Introduction to Cloud Compliance and ways to achieve it
Introduction to Cloud Compliance and ways to achieve it
Cloud compliance refers to complying with the laws and regulations that apply to using the cloud. Cloud compliance issues arise when we move our data to the cloud by using cloud storage or backup services. So, in order to do so with cloud compliance, we come across the questions that the compliance would ask. These are as mentioned below:
- What data should we move to the cloud and what should we not?
- Where is our data going to reside?
- Who is going to look after it?
- Who is going to be able to see it?
- If we use a public cloud how secure is that cloud platform for us? Is the cloud going to be separated from other organizations’ data?
- What questions do we need to ask our cloud provider and what terms should be written into SLAs to maintain compliance?
- What questions do we need to ask our cloud provider and what terms should be written into SLAs to maintain compliance?
Awareness of Regulations and Guidelines
The organization needs to be aware of all of the regulatory policies and procedures you must comply with, and then find a Cloud service provider(CSP) that meets the same set of standards. The CSP should be able to provide documentation of how they meet compliance in the cloud, and also be able to prove it in an audit.Some of the most common regulatory requirements are as follows:
HIPAA (Health Insurance Portability and Accountability Act) is a set of healthcare laws that lays out strict guidelines and security protocols for how patient health data and confidential information can be stored. These laws apply to healthcare providers as well as health insurance companies. The best way to meet compliance for HIPAA protocols is to securely encrypt data to protect it during security breach.
PCI DSS (Payment Card Industry Data Security Standard) is a standard that is required by any company that processes or handles payment card information, such as credit cards. Each of the 12 requirements must be met in order to achieve compliance, and a failure to do so can result in hefty fines.
The GLBA (Gramm-Leach-Bliley Act) law applies to financial institutions regarding how they protect the security of customers’ confidential information. This law states that companies must explicitly share with customers how their data is being stored, as well as what measures are being followed to protect it.
Access Control
Lack of proper authentication, or identity and access control, is a major cause of company data breaches. Many companies see multi-factor authentication as too complex and time-consuming to dedicate energy for, however, this is one of the best ways to avoid potential security threats. A single sign-on can be convenient for users but it greatly increases the risk of being hacked, and one username or password alone is very easy to steal, especially if employees use poor passwords.
Multi-factor authentication is the best way to remove the risk of being compromised and is a highly secure process that makes it nearly impossible to be breached. In order to login, users must not only use a username and password, but they must also use a second source of authentication, such as a verification code sent to their phone or email. This reduces the ability for someone to login with username and password as there is another step needed that only the approved employee can finish.
Classification of data and knowing where it is stored. It is most important to know where your data is being stored. If you should ever undergo an audit, you will need to prove the exact location of your data as well as what you have put in place to protect it.
During research of potential CSPs, ensure to obtain explicit documentation from them about the location of their servers. According to a majority of industry standards and regulations, any server used by a CSP to store data should reside in the United States. Even if you find certain regulations that do not require the servers to be in the U.S., other countries may have different laws, which can then become a huge privacy issue.
Once you have decided on a reputable and legitimate CSP, the next step for your company is to classify all of your data to choose what will be moved to the cloud. For both compliance and security reasons, it is recommended that highly confidential or sensitive data should remain on the internal network and never be migrated to the cloud. Another option for companies is to use a private cloud that is hosted right on the premises, providing the benefits of cloud storage without the same security risks.
Encryption
After classifying and deciding that there is some confidential and sensitive information that must be stored on the cloud, it is important to ensure that our organization encrypts the data. Encryption of our sensitive data not only protects it from attacks or compromises but also ensures that it meets most compliance requirements. A majority of CSP offer encryption services, but there are also many third-party software programs that can help with this process.
If your CSP provides the encryption, find out what type of encryption they use as well as how and when it is applied. During transit, there are industry-standard transport protocols, like https, which alerts you that the communications between you and the server are encrypted.
How the data is stored is the most important part. Most data breaches are carried out by insiders from the company, whether they are malicious or simply accidental.
CSP sets up virtual networks that no one within your company has access to, and in which all traffic flowing between machines in the cloud is encrypted. This helps in eliminating the risk of data being hacked into. As an organization, there are a few steps that can be taken to prevent insider threats:
- Identity management.
- Identity governance.
- Access management and risk-authentication.
- Security intelligence.