Oct 10, 2019

Compliance in the Cloud: Security & Privacy

The cloud computing keeps advancing worldwide. Organizations receive higher IT resources scalability and data interoperability at a lower cost. But, typical challenges prevent organizations of enterprise level from full cloud engagement. In our new article we summarize the challenges and approaches on the way to cloud compliance.
AWS Compliance

For small or startup businesses, jumping in the cloud is no pain. They receive ready-to-use cloud infrastructure and start from scratch. Business transformation for enterprises seems very tough. It is a major organizational disruptor on the way to cloud migration. Redefining and standardizing every business process to fit the cloud environment is costly. Once you survived through it, your organizational nightmare is over.

A permanent concern makes the shift from sole to shared responsibility model. It results in dispersed control over cloud security and cloud compliance processes. Add to it the third- and fourth-party risk. All this creates the so-called “cloud conundrum”.

Below, we summarize the challenges and approaches on the way to cloud compliance.

First-timer Challenges of Security Compliance in the Cloud

Migrating to the cloud without any prior experience may not be a pleasant journey. You will face the issues you have never had before. A clear view of the pitfalls simplifies your way to cloud compliance.

Challenges organizations meet after having entered the cloud:

  • Operation consistency. Your operation finally lands in the cloud. The compliance functions and processes are implemented in your cloud systems. Make sure there are no malfunctions or deviations.
  • Increased threats. Your exposure to new threats will grow. As well as will the burden of cloud security compliance. The increased mobility of the organization’s workforce contributes to this difficulty. Their mobile devices connected to out-of-your-control external networks open more targets for attackers.
  • Data visibility. Regulatory requirements for data residency control ever increase. Be ready to face a new reality: your critical data resides no longer in one secure place. It is dispersed between mobile devices, cloud apps, and services. Welcome to the era of edge computing! To keep a single view on your corporate data becomes fairly challenging.

Compliance via Shared Responsibility

Cloud providers and vendors strengthen security and compliance in their solutions. Now cloud-based technologies engage encryption, tokenization, multi-factor authentication, etc. enhancing cloud security compliance.

There is a popular, but the mistaken idea about compliance in the cloud as something out-of-the-box and taken for granted. Some may think there is nothing to worry about. Data security and regulatory compliance become the sole responsibility of the cloud provider. This is wrong. It is called “The Cloud Compliance Trap”.

Handing over your data does not mean handing over all your responsibility. Responsibility for your cloud security compliance now is distributed between many parties.

You have to learn how this distribution works in your individual case. Depending on how high you get into the cloud stack, you have different layers of built-in security. For example, a SaaS application has a layer of security compliance. Your cloud infrastructure and platform provide their own layers:

  • Cloud App Layer;
  • Infrastructure Layer;
  • Platform Layer.

Why to Think of the Fourth-Party Risk?

We live in a world of growing interdependencies. We are responsible for control over the critical data we entrusted to our vendors. Monitoring third-party risk is mandatory and included in the risk management programs.

The fourth party is vendors or subcontractors of your vendors. It is critical to pay certain attention to them too. Imagine that half of your 50 vendors rely upon a dozen other critical providers each. The risk grows to a dramatic scale. Your next-kin provider may fall victim to a major breach. Exposing your sensitive data to bad guys may have catastrophic consequences.

Compliance and Cloud Applications: Questions to Ask

Does your business involve running several cloud-based apps? There are things to think about in advance, before their deployment in the cloud.

First, it is about the proper choice:

  • Choose applications contributing to your cloud compliance without exposing you to more risk.
  • Ask your cloud app vendor if there are any issues to expect with regard to integration.
  • Discuss specific details with your cloud provider.
  • Get advice from compliance and security experts about potential threats and vulnerabilities. Some vulnerabilities may be inherent. Others emerge while integrating cloud-based apps into your network.

Advice on AWS cloud compliance and Google cloud compliance may differ.

One more thing to keep in mind is Electronic Discovery or e-discovery. It relates to the availability of information in various electronic formats for using it as a piece of evidence in legal proceedings.

You may consider any other public and private cloud providers.

Questions to ask when considering compliance and security in the cloud:

  • How secure are my cloud 1) apps, 2) services, and 3) underlying resources?
  • Where will my data reside: 1) countries, 2) states or provinces, and 3) datacenters specific locations?
  • What particular entities will have access to my data?
  • For how long is my organization required to keep data in storage?
  • Will my data be optimized for e-discovery?
  • How data subject’s requests will be processed?

A Few Tips for your Cloud Compliance

Prepare to address more challenges, if you decide to engage in many clouds. Some are specific to public clouds, some to hybrid and private ones. Having more than one cloud environment multiplies your operational, administrative and regulatory troubles.

We recommend two useful tips to improve your data security in the cloud.

Restrict personal data to limited geography:

  • Separate personal data from other data and restrict its handling. Thus, you will reduce the incompliance risks.
  • Specify the actual location of data centers storing and processing your data. Configure your information system to restrict personal data handling to a certain territory. It can be EU, specific country, or one US state only.

It is not always possible. Public cloud providers store data at the locations they find fit. The system duplicates and disperses the data between many datacenters. Hence, it is a problem to know where your data live at any moment of time.

Lock up your data by encryption

We recommend client-based encryption. It will reduce the risk of data compromising, theft, or loss. It does not resolve the problem of data visibility. But it eliminates the risk of hackers intercepting data in transit.

Secondly, host your cloud resources only with trustworthy providers with proven clear-cut data geolocation polices.

Final Reminder

No cloud arrangements will release you from the responsibility for your compliance. You cannot outsource it and sleep well without making 100% sure about the absolute reliability of your cloud providers.

Work your way through the due diligence process. Make sure your cloud providers meet the effective compliance and security requirements as per ISO/IEC 27017:2015.

From the GDPR perspective, complying with mandatory standards is solidary responsibility. It means that a personal data controller is entirely and equally liable for a breach occurred through the fault of its data processors, i.e. cloud providers.

Find out more about cloud security and privacy compliance, the existing challenges and solutions, contacting Infopulse experts. To receive an enhanced experience from full immersion into the topic, fill the form below and request your personal demo.

Request a demo

Request a Demo

Request an individual live demo to find out how Infopulse Standards Compliance Manager – an integrated information security management tool, can optimize and streamline your mission-critical business processes related to security governance, compliance and risk management specific to your industry.

Schedule your personal demo with our expert for a date and time that works best for you.

Contact form