For those who thought data security was hard when business was primarily on-sitewelcome to a new age of complexity. Todays business is mobile with data stored everywhere in the cloud. However, one thing hasnt changed: customers are still demanding that organizations keep their data safe. Failure isnt an option, and non-compliance with todays strict regulations brings stiff penalties and, most importantly, the loss of customer trust, something no business can afford.
In this article we will examine the key components of cloud compliance frameworks, introduce examples, and explain why aligning your data security policies and procedures to these compliance frameworks is critical for organizations looking to protect data and maintain customer trust in a mobile world.
Cloud storage and SaaS solutions bring unprecedented speed, agility, and flexibility to a business. However, trusting third-party vendors with sensitive data comes with numerous inherent risks. Here are some challenges to consider when securing your data in the cloud:
Cloud deployments deliver accessibility, but they also create open, decentralized networks with increased vulnerability. This is where cloud compliance frameworks come in. Modern enterprises need the holistic guidance and structure provided by these frameworks to keep data safe in todays dispersed business landscape.
When an organization understands the inherent risks they are exposed to through the use of cloud services, develops policies and processes to manage these risks, and, most importantly, follows through on these policies and processes, they can have higher confidence in their security posture.
Cloud security experts have identified key control categories to mitigate the inherent risk of using cloud services. These are formalized through frameworks such as the Cloud Security Alliance Cloud Controls Matrix (CCM).
Below are the components compliance frameworks utilize to drive a higher level of security in the cloud.
These preset controls protect your sensitive data from dangerous public exposure. The following are essential areas of cloud governance:
Two of the clouds biggest advantages, speed and flexibility, make controlling change more difficult. Inadequate change control often results in problematic misconfigurations in the cloud. Organizations should consider leveraging automation to continuously check configurations for issues and ensure successful change processes.
Identity and access management (IAM) controls often experience multiple changes in the cloud. Below are a few IAM best practices to keep in mind for your cloud environment:
The complexity and dispersed nature of the cloud make monitoring and logging all activity extremely important. Capturing the who, what, when, where, and how of events keeps organizations audit-ready and is the backbone of compliance verification. When monitoring and logging data in your cloud environment, its essential to:
Effectively managing vulnerability starts with a comprehensive knowledge of your environments and identifying potential risks. Smart organizations analyze all software for known weaknesses and watch for the introduction of third-party entities with potential vulnerabilities. Identifying and remediating vulnerabilities is central to any security platform and plays a major role in meeting regulatory requirements.
Reporting provides current and historical proof of compliance. Think of these reports as your compliance footprint and very handy come audit time. A complete timeline of all events before and after an incident can provide critical evidence should your compliance ever be questioned. How long youre required to keep these records depends on the individual regulation requirementsome want only a month or two, while others require much longer. Your team must keep all files in a secure, independent location in the event of an on-site system crash or natural disaster.
These frameworks speak specifically to cloud compliance requirements. Both cloud vendors and customers should be well versed on the specifics of these three frameworks.
Cloud Security Alliance Controls Matrix: This foundational grouping of security controls, created by the Cloud Security Alliance, provides a basic guideline for security vendors, boosting the strength of security control environments and simplifying audits. Additionally, this framework helps potential customers appraise the risk posture of prospective cloud vendors.
The Cloud Security Alliance has developed a certification program called STAR. The value-added CSA STAR certification verifies an above and beyond cloud security stance that carries weight with customers. This overachievers set of standards may be the best asset for customers looking to assess a vendors commitment to security, and a must for all organizations looking to cement customer trust. Further, The STAR registry documents the security and privacy controls provided by popular cloud computing offerings, so cloud customers can assess their security providers to make good purchasing decisions.
FedRAMP: Meeting this set of cloud-specific data security regulations is a must for organizations looking to do business with any Federal agency. FedRAMPs purpose is to ensure all cloud deployments used by the Federal government have the minimum level of required protection for data and applications. Be preparedbecoming FedRAMP compliant can be a long, detailed, and exhaustive process even for well-staffed organizations. A System Security Plan documenting controls must be submitted to the Joint Authorization Board (JAB), followed by an assessment and authorization. Organizations must then demonstrate continuous compliance to retain FedRAMP status.
Sarbanes-Oxley (SOX): We can thank well-publicized financial scandals like Enron for this set of financial regulatory requirements. SOX is a set of guidelines governing how publicly-traded companies report financial data to protect customers from errors in reporting or fraud. SOX regulations arent security-specific, but a variety of IT security controls are included within the scope of SOX because they support data integrity. However, SOX audits cover just a small portion of cloud security and IT infrastructure. SOX shouldnt be taken lightly, as violators can expect harsh penalties, including fines up to five million dollars or up to twenty years in jail.
Organizations handling sensitive data can benefit from adhering to the standards set by the following security-specific regulations. These frameworks provide the methodology and structure to help avoid damaging security incidents. Here are four frameworks that organizations should have on their radar.
ISO 27001: Developed by the International Organization for Standards, this international set of standards for information security management systems demonstrates that your organization operates within the best practices of information security and takes data protection seriously. Any company handling sensitive data should seriously consider adding ISO 27001 to their compliance resume. ISO 27002 supports this regulation by detailing the specific controls required for compliance under ISO 27001 standards.
NIST Cybersecurity Framework: This foundational policy and procedure standard for private sector organizations appraises their ability to manage and mitigate cyber-attacks. A best practice guide for security pros, this framework assists in understanding and managing risk and should be mandatory reading for those on the first line of defense. NIST Cybersecurity Framework is built around five core functions: identifying, protecting, detecting, responding, and recovering. Back in 2015, Gartner estimated that 50% of United States organizations will use the NIST Security Framework by 2020.
CIS Controls: The Center for Internet Security created this guideline of best practices for cyber defense. This framework delivers actionable defense practices based on a list of 20 Critical Security Controls which focus on tightening access controls, defense system hardening, and continuous monitoring of environments. The first six are described as basic controls, the middle ten as foundational controls, and the remaining four as organizational controls.
These frameworks can be considered best practice guidelines for cloud architects, commonly addressing operational efficiency, security, and cost-value considerations. Here are three for cloud architects to keep front of mind.
AWS Well-Architected Framework: This best practice guideline helps Amazon Web Services architects design workloads and applications in the Amazon cloud. This framework operates around a set of questions for the critique of cloud environments and provides customers with a solid resource for architecture evaluation. Five key principles guide Amazon architectsoperational excellence, security, reliability, performance efficiency, and cost optimization.
Google Cloud Architected Framework: This best practice guideline provides a foundation for constructing and enhancing Google cloud offerings. This framework guides architects by focusing on four key principlesoperational excellence, security and compliance, reliability, and performance cost optimization.
Azure Architecture Framework: This set of best practice guidelines assists architects constructing cloud-based offerings in Microsoft Azure. This guide helps maximize architecture workloads and is based on similar principles as those found in the AWS and Google Cloud Frameworks, including cost optimization to drive increased value, operational excellence and performance efficiency to keep systems functional, reliability to recover from failures, and security for data protection.
Customers want to know they can trust your organization to keep their data safe. If your organization wants to conduct business with the federal government, achieving certain cloud security certifications is the procurement gate.
Cloud compliance frameworks provide the guidelines and structure necessary for maintaining the level of security your customers demand.
Additionally, these frameworks will help you navigate a regulatory minefield and avoid the steep financial and reputational cost of non-compliance. Most importantly, implementing a compliance framework will allow your organization to verify your commitment to privacy and data protection. This will keep you out of trouble with regulators and boost credibility and trust with your customers.
Security and compliance, though different, are interrelated and have significant overlap. These areas of overlap can create dangerous gaps in your defense. Innovative, continuous compliance solutions, such as those provided by Hyperproof, can help organizations identify and manage overlaps between security and compliance risk mitigation strategies to create safer environments.
Hyperproof makes the process of gaining cloud security certifications (e.g. ISO 27001, FedRAMP) and maintaining them faster and easier . Our compliance operations software allows you to see and understand all the requirements of a compliance framework. You can create controls to meet the requirements and assign controls to your team to operate or monitor. Ultimately, this will help your compliance team save time gathering evidence to verify the operating effectiveness of internal controls so compliance and security leaders can spend more time on controls testing. Hyperproof also has a Crosswalks feature that clearly identifies the overlapping requirement areas across multiple security frameworks. This allows you to leverage your existing compliance efforts to achieve certification in additional frameworks faster. Hyperproofs compliance solution provides analytics and dashboards to run a continuous monitoring program to verify your compliance status and drive remediation efforts.
To see how Hyperproof helps you gain control of your compliance efforts, sign up for a personalized demo.
MarkKnowlesis a freelance content marketing writer specializing in articles, e-books, and whitepapers on cybersecurity, automation, and artificial intelligence.Markhas experience creating fresh content, engaging audiences, and establishing thought leadership for many top tech companies. He is based in the sunny state of Arizona but enjoys traveling the world and writing remotely.
Banner photo byChristina MorillofromPexels
The post Cloud Compliance Frameworks: What You Need to Know appeared first on Hyperproof.
Recent Articles By Author
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Hyperproof Team. Read the original post at: https://hyperproof.io/resource/cloud-compliance-frameworks/?utm_source=rss&utm_medium=rss&utm_campaign=cloud-compliance-frameworks
Here is the original post:
Cloud Compliance Frameworks: What You Need to Know - Security Boulevard
- BTFS is Poised to Disrupt the Cloud Storage Industry? - ihodl.com - October 15th, 2020
- Reducing cloud storage costs: what you need to know - ITProPortal - October 15th, 2020
- Save an extra 20% on VPNs, password managers, and cloud storage - Mashable - October 15th, 2020
- Cohesity hooks up with AWS to pipe data management-as-a-service at users, starting with backup - Blocks and Files - October 15th, 2020
- The Best Backup and Restore Courses and Online Training for 2020 - Solutions Review - October 15th, 2020
- NetApp Insight 2020 conference news and coverage - TechTarget - October 15th, 2020
- iPad productivity tips: Keyboard tricks, shortcuts, and more - Fast Company - October 15th, 2020
- Cloud At The Edge, GPU Storage And LTO Gen 9 - Forbes - September 25th, 2020
- Zoom is being sued over its cloud storage practices - TechRadar - September 25th, 2020
- Microsofts storage dream: a hard disk drive the size of a wardrobe with Samsung Galaxy S20 parts - TechRadar - September 25th, 2020
- How to Access S3 Buckets from Windows or Linux - ITPro Today - September 25th, 2020
- There is a hole in my cloud bucket - Fudzilla - September 25th, 2020
- Red Hat shifts automated data pipeline into OpenShift Blocks and Files - Blocks and Files - September 25th, 2020
- Seagate gets into object storage with new CORTX software Blocks and Files - Blocks and Files - September 25th, 2020
- Kioxia's Ethernet SSD stirs into EBOF life as architects dream - Blocks and Files - September 25th, 2020
- Ceph scales to 10 billion objects Blocks and Files - Blocks and Files - September 25th, 2020
- Google accused of using its online dominance to hold back competitors; to face antitrust lawsuit: Report - Times Now - September 25th, 2020
- Synology DiskStation can keep your digital life organized and safe - The Dallas Morning News - September 25th, 2020
- Looking for a job? The Library is here to help! | Globe Times - swglobetimes.com - September 25th, 2020
- Multi Cloud Storage Market is Projected to Increment at an Eye-Catching CAGR by 2023 | 21.2% CAGR | Know the COVID19 Impact - Verdant News - September 25th, 2020
- Internet of Things (IoT) Cloud Platform Market: Demand Rate with Regional Outlook, Applications, Consumer Profiles & Forecast 2026 - The Daily... - September 25th, 2020
- This tiny CPU firm could play a key role in the future of Apple One - TechRadar - September 25th, 2020
- Could Snowflake Rival Amazon in Cloud Storage and Services? Here's What You Need to Know About the New So - Tech Times - September 15th, 2020
- How Cloud Computing Can Deal With Lightning Strikes and Hackers - Carnegie Endowment for International Peace - September 15th, 2020
- How to approach IT logging in the cloud vs. on premises - TechTarget - September 15th, 2020
- This lifetime web hosting subscription comes with up to 1TB of storage - Mashable - September 15th, 2020
- Keep It in the Cloud! Best Cloud Storage Systems of 2020 - iDrop News - September 6th, 2020
- Impact of COVID-19 on Cloud Storage Software Market 2025 Expected to reach Highest CAGR including major key players Amazon Web Services, Microsoft,... - September 6th, 2020
- Facebook adds cloud storage providers Dropbox and Koofr to its photo and video portability tool - Digital Information World - September 6th, 2020
- Cloud storages you need to know - The Star, Kenya - September 6th, 2020
- How COVID-19 is Impacting the Consumer Cloud Storage Services Market by Industry Analysis, by Type, Application and Top Players:Apple, Google, Box,... - September 6th, 2020
- Cloud Storage Gateway Market to Witness Stunning Growth by 2027; Key Players are Riverbed Technology, SoftNAS, Inc., Oracle, Microsoft, Nasuni... - September 6th, 2020
- COVID-19 Is Driving a Cloud Computing Surge That Will Only Continue | Opinion - Newsweek - September 6th, 2020
- Asia Pacific Personal Cloud Market Industry Analysis and Market Forecast (2019-2026) _ Hosted Types, Revenues, User Type, and Geography. - Galus... - September 6th, 2020
- Amazon's Blink Unveils New Wireless Security Cameras with HD Video, Flexible Storage Options, and New Battery Expansion Pack Cameras Start at $79.99... - September 2nd, 2020
- Cloud Storage Software Market Will Raise Beyond Imagination over Period 2025 | Microsoft, Oracle, Rackspace Hosting, Red Hat, IBM - Scientect - September 2nd, 2020
- Stand Alone Cloud Storage Market Current Industry Size and Future Prospective with Key Players, Drivers and Trends - The Daily Chronicle - September 2nd, 2020
- Media And Entertainment Storage TAM To Exceed $16B By 2025 - Forbes - September 2nd, 2020
- The Launching Ceremony for XnMatrix Wrapped Up, the Next Generation of Cloud Computing Eco-System Sets Sail - PRNewswire - September 2nd, 2020
- Why not open our own Container Registry, muses GitHub as it gives orgs a hand at resource-sharing DEVCLASS - DevClass - September 2nd, 2020
- Sharing responsibility: Why we need to work together to keep the cloud secure - ComputerWeekly.com - September 2nd, 2020
- Data breach exposes tens of thousands of NSW drivers licences online - ABC News - September 2nd, 2020
- 10 Key Takeaways From NetApp CEO George Kurian: Cloud, Coronavirus And Growth - CRN: Technology news for channel partners and solution providers - September 2nd, 2020
- Responding to Cloud Misconfigurations with Security Automation and Common-Sense Tips - Security Boulevard - September 2nd, 2020
- How to Prepare for the Next Time the Cloud Goes Down - Gizmodo - September 2nd, 2020
- Demand for Consumer Cloud Storage Services Market from Major End-use Sectors to Increase in the Near Future - The Scarlet - August 29th, 2020
- Prevent the storage and data security risks of remote work - TechTarget - August 29th, 2020
- Samsung kills Gallery Sync and Drive support in favor of OneDrive - Android Central - August 29th, 2020
- 4 great Android apps to edit the perfect photo - Phandroid - News for Android - August 29th, 2020
- Google Cloud and STS to Automate US Navy Maintenance Inspections Using AI and ML Technology - PRNewswire - August 29th, 2020
- New innovative report on Cloud Storage Gateway Market Future Growth Analysis, Business Demand and Opportunities to 2027 - The Scarlet - August 29th, 2020
- Global Cloud Based Storage Market 2020 Industry Outlook, Comprehensive Insights, Growth and Forecast 2026 - Good Night, Good Hockey - August 29th, 2020
- In quest to go paperless (and save money), Mizuho to start charging for bank books - Japan Today - August 29th, 2020
- NetApp posts strong Q1, plots big re-organisation Blocks and Files - Blocks and Files - August 29th, 2020
- The Handiest Video Doorbells to Remotely Test Who's At your Doorstep - Herald Planet - August 29th, 2020
- Explore the best free cloud backup services on the market - TechTarget - August 26th, 2020
- Integrated Media Technologies Joins the Active Archive Alliance - Sports Video Group - August 26th, 2020
- Storj Labs and FileZilla Collaborate to Offer Secure File Storage in the Remote Work Era - Database Trends and Applications - August 26th, 2020
- Reevert Unveils Advanced Tools to Enhance Network Security and Efficiency for Remote Workforces - PRNewswire - August 26th, 2020
- Enhancing Network Visibility for SD-WAN in the Era of Cloud and SaaS - The Fast Mode - August 26th, 2020
- Where to Back Up Your Smartphone Photos Online (and Why You Should) - Lifehacker - August 24th, 2020
- NordLocker encryption heads to the cloud - IT PRO - August 24th, 2020
- What Is the OneDrive File Size Limit? Microsoft's 2020 Updates - Cloudwards - August 24th, 2020
- A Security Flaw In 'Manage Versions' Feature Of Google Drive Could Allow Malware Attackers Trick Victims Into Installing Rogue Code - Digital... - August 24th, 2020
- Medical Image Cloud Market Expected to Witness High Growth over the Forecast Period 2020 2025 - The Daily Chronicle - August 24th, 2020
- What Is OneDrive? A 2020 Guide to Microsoft's Cloud Storage - Cloudwards - August 20th, 2020
- Stand Alone Cloud Storage Market Growth, Industry Verticals and Forecast to 2026 - Scientect - August 20th, 2020
- Outlook on the Healthcare Data Storage Global Market to 2026 - Opportunity Analysis for New Entrants - ResearchAndMarkets.com - Business Wire - August 20th, 2020
- Personal Cloud Storage Market by Top Manufacturers with Production, Price, Revenue (value) and Market Share to 2026 - The Daily Chronicle - August 16th, 2020
- Pure Storage and Cohesity in Partnership to Deliver Rapid Recovery at Scale - insideHPC - August 16th, 2020
- Cloud Storage Systems Market Analysis, Size, Regional Outlook, Competitive Strategies and Forecasts to 2025 - eRealty Express - August 16th, 2020
- Cloud Storage Market Size by Top Companies, Regions, Types and Application, End Users and Forecast to 2027 - Bulletin Line - August 16th, 2020
- How to install the Seafile cloud storage solution on Ubuntu Server 20.04 - TechRepublic - July 31st, 2020
- Five on-premise and cloud options for network-attached storage - ComputerWeekly.com - July 31st, 2020
- Want to back up the worlds largest SSD? Use this 100TB cloud storage - TechRadar - July 31st, 2020
- 4 reasons why Tresorit is the best cloud storage service - Tech Advisor - July 31st, 2020
- Cloud Technologies Your Business Needs in 2020 - The Seeker - July 31st, 2020
- FBI Alerts to Rise in Targeted Netwalker Ransomware Attacks - HealthITSecurity.com - July 31st, 2020
- The entire Netflix movie archive will fit on this 90PB storage system - TechRadar - July 31st, 2020
- Student discounts: the best offers in 2020 - Creative Bloq - July 31st, 2020