Enterprise businesses continue to undergo digital transformations, finding new ways to connect with their client base, embracing hybrid and work-from-home strategies, and scaling their operations through innovative technologies. Though cloud adoption has been a key driver for these transformations, the unique challenges of securing cloud environments remains a top concern amongst enterprise leaders and security professionals.
Most recently, Fortinet’s 2023 Cloud Security Report found that most global respondents across various industries expressed a moderate to high level of concern regarding cloud security. 43% of those surveyed believed that risks associated with using a public cloud far surpassed those tied to traditional, on-prem environments. One of the top risks identified highlighted the unique challenge of meeting cloud-specific compliance requirements.
This post provides an overview of the various regulations and requirements that impact cloud security and focuses on practical cyber best practices enterprises can implement to ensure compliance and continue benefiting from the cloud.
In a report covering data security in an era of hybrid work, ransomware, and accelerated cloud transformation, researchers examined the momentum that cloud adoption continues to see. Of those surveyed, a third of companies stated that they had 41% to 60% of all their corporate data stored in an external cloud. Another 22% of those participants indicated that over 60% of their business critical data was based in the cloud.
With so much of the world’s data now held in the cloud, enterprises are expected to meet set standards for cloud usage and security in accordance with industry-specific guidelines as well as local, state, federal, and international laws. Regulations and compliance controls serve to protect businesses and their clients; however, shifts in the greater threat landscape mean that they are frequently subject to change.
Even in terms of obtaining cyber liability insurance coverage, modern enterprises based in the cloud must be certain that their cloud infrastructure meets all applicable controls and regulations. Insurance carriers, particularly those that serve high risk industries like IT, finance, and healthcare, all require advanced cybersecurity measures in order to bind their insurance policies. Since the cloud surface is faced with many inherent risks, security strategies are now a hard requirement for any kind of coverage.
Cloud computing has long evolved from just a means of storing data. The past decade has seen cloud bloom into a full-scale computing solution and enable an entire generation of organizations to share, optimize, manage, and scale information like never before.
Though powerful and very beneficial, the features that make cloud services so useful to enterprises are the same ones that make data in the cloud a challenge to regulate and secure. Security leaders defending their organization’s cloud environment take into consideration the following dimensions of cloud security:
Cloud compliance describes the process and act of meeting regulatory standards, industry guidelines, and applicable legal requirements for using cloud technology. Compliance in cloud environments starts in the planning and initial deployment stage with the right settings, policies, and best practice frameworks in place to guide ongoing use.
Since many cyberattacks on the cloud surface are the result of poor implementation of cloud security measures, insider threats, and misconfigurations, focusing on cloud compliance management can help security leaders prioritize what needs to be done to achieve a stronger security posture.
The following is a list of the most widely-used government and industry-specific security regulations that pertain to cloud-based organizations.
HIPAA (Health Insurance Portability & Accountability Act) federal standards seek to protect sensitive health information from being disclosed without the knowledge and consent of the patient it belongs to. The HIPAA Security Rule is a subset of requirements that supports these standards and covers all individually identifiable health information created, received, maintained, or transmitted in electronic form.
Organizations that create, receive, maintain, and or transmit electronic protected health information (e-PHI) through a cloud platform must:
SOX (Sarbanes-Oxley Act) is a federal law enforcing auditing and financial regulations upon public companies to improve the reliability of their financial reporting and foster investor confidence in the age of high-profile corporate crime. To comply with SOX, companies are required to:
Public companies adhering to SOX guidelines are only permitted to work with cloud service providers that themselves follow the Statement on Auditing Standards No. 70 or the Statement on Standards for Attestation Engagements No. 16 auditing guidelines.
PCI DSS (Payment Card Industry Data Security Standard) was developed to protect all payment account data throughout the payment lifecycle. Any organization, merchant, service provider, or institution that processes card payment transactions are required to abide by PCI DSS controls. These controls focus on building and maintaining a secure network and system to protect cardholder data through robust access controls.
Cloud-specific PCI DSS controls to be followed include:
The NIST (National Institute of Standards & Technology) framework is a risk-based approach to managing cybersecurity risks through a repeatable and measurable process. NIST Special Publication 800-144 (“Guidelines on Security and Privacy in Public Cloud Computing) outlines recommendations organizations can follow when outsourcing data, applications, and infrastructure to a public cloud environment. Other special publications geared specifically towards cloud computing include:
ISO 27001 is recognized internationally as an information security standard for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems (ISMS).
Under this main umbrella of standards, ISO 27017 is a set of security controls specific to cloud computing and ISO 27018 set of privacy controls for managing personal data in cloud environments.
FedRAMP (Federal Risk & Authorization Management Program) is a federally recognized and government-wide compliance program promoting the adoption of secure cloud services. It standardizes the security assessment and authorization of any cloud products and services used by U.S. federal agencies.
The responsibility of securing a cloud environment is not shifted from an enterprise to their cloud service provider (CSP) – rather, it is shared. This starts with an understanding between all associated parties with access to the cloud through frameworks such as the Cloud Shared Responsibility Model.
The model clearly defines the areas of control and protection that each party must handle to ensure a secure and reliable cloud environment. In this model, the CSP is responsible for securing the underlying cloud infrastructure, including servers, networks, and physical facilities. On the other hand, the enterprise is accountable for managing their data, applications, user access, and configurations.
The significance of the Cloud Shared Responsibility Model lies in establishing clear boundaries and expectations for both CSPs and customers. It helps organizations understand the division of responsibilities and assists in making informed decisions about implementing additional security measures to protect their data and applications. By clarifying the shared responsibilities, the model promotes collaboration, risk mitigation, and effective security management in the cloud.
Developing cloud security policies that make sense for a unique business begins with assessing risks. Since there are inherent risks to consider, security leaders will need to look at what information is shared to the cloud, how it is being stored, and what requires business-critical levels of control and access.
Post risk assessment, design policies and controls around the cloud risks and then establish cloud governance to disseminate and manage those policies to the rest of the organization. Having a formal governance model in place reduces friction between various teams when the new cloud policies are implemented and refined. Both cloud adoption and governance champions should be in regular contact to evaluate and adjust corporate cloud policies to fit the evolving needs of the business.
In cloud computing, changes to the systems, services, or configurations will need to be tightly controlled involving workflows to review, approve, and even document any modifications and updates made to any part of the cloud infrastructure or applications.
While cloud solutions and services enable flexibility and speed, these benefits can also make managing change a challenge for security teams. Improperly established change control can result in misconfigurations early on in the cloud deployment process, leaving the environment exposed to opportunistic threat actors.
To establish proper change management processes for cloud:
Growing cloud adoption rates reaffirm its popularity amongst organizations of all sizes. Used to increase scalability, flexibility, and operational efficiency, cloud computing has risen as a driving force behind many modern businesses. As more businesses migrate to cloud as part of their ongoing digital transformations, cloud compliance will remain a keystone within the overarching cybersecurity strategy.
Building a strong cloud strategy focused on achieving compliance means understanding what legal and regulatory requirements are required for specific industries and locations of operation. Also, taking time to perform a detailed risk assessment allows security teams to design policies and governance models that are streamlined to the business and support the ongoing use of innovative cloud technologies.
Learn about how SentinelOne’s Singularity™ For Cloud solution protects the cloud surface from advanced cyberattacks, allowing business leaders to focus on their operations and clients. Improve your cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Contact us today or book a demo for more details.
Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.