Cloud security compliance ensures your cloud environments meet applicable laws, regulations, and industry and internal standards. It can be challenging because of the compliance requirements that typically apply. However, the consequences of not doing so are severe. For example, OneMain Financial paid the New York state regulator a whopping $4.25 million penalty for violations found during a routine audit.
On the other hand, the benefits of cloud security compliance are numerous. You reduce the risk of data breaches and other security incidents and gain customer confidence and trust. This article explores the best practices in cloud security compliance, along with some practical examples and tools you can use for implementation.
Summary of cloud security compliance best practices
We recommend the following steps when developing your cloud security compliance.
| Best practice | Description |
|---|---|
| Identify applicable requirements | Review your organization’s industry, location, and customer base to determine the applicable security regulations and security standards. |
| Understand your responsibilities | Your organization is responsible for the compliance of your applications, the data you process and store, and the services you provide. |
| Assess the current state of cloud security. | Assess your current state of cloud security compliance. After this, develop a plan to address applicable requirements. |
| Implement security controls to plug gaps. | Cloud security controls cover all the best practices, regulations, and guidelines to safeguard your cloud environments. |
| Implement continuous monitoring |
Your organization’s cloud environment is unlikely to remain static. Monitoring cloud security is necessary to detect drifts. In multi-cloud environments, a compliance management platform improves the efficiency of monitoring. |
#1 Identify applicable requirements
The first step to achieving cloud security compliance is to identify the security compliance standards your organization is targeting. Your organization should already have a cloud governance strategy that defines its goals and objectives for using the cloud. Laws and regulations that guide your cloud governance also inform your cloud security compliance. The applicable compliance standards vary depending on the industry, location, and customer base.
For example, if your organization operates in the financial sector, then the Payment Card Industry-Data Security Standard (PCI-DSS) may be applicable. One of the PCI-DSS requirements is to install and maintain a firewall configuration that protects cardholder data. This requirement can drive your cloud resources configuration policy. The policy defines two states for your cloud resources: those that are protected by a firewall (compliant) and those that are not protected (non-compliant).
The image shows measuring cloud resources against a policy that requires a firewall to protect the resources.
It's helpful to categorize and prioritize the applicable security standards. We show an example of this in the table below. The table suggests classifying standards into operational areas they impact. More than one operational impact may apply to a given security standard.
| Security standard/regulation | Operational impact | Example Priority |
|---|---|---|
| ISO/IEC 27000-1 | Customer | High |
| GDPR | Location | High |
| CIS Azure (1.3) | Industry | Medium |
| PCI DSS | Industry | High |
| ISO/IEC 27017 | Internal | Medium |
| Well-architected frameworks, e.g., AWS Well-Architected, Microsoft Azure Well-Architected, or Google Cloud Adoption | Internal | Medium |
The table is an example of prioritizing the security standards/regulations that you are targeting.
By adding a priority for a given standard, you can target the most impactful security standards.
#2 Understand your responsibilities
You must clearly understand your responsibilities vs. your cloud provider because this determines what part of your IT infrastructure you must make security compliant. The image below shows the responsible party for the four main deployment strategies: on-premise, IaaS, PaaS, and SaaS.
The image shows the responsibilities of the four main deployment strategies (Source).
As you can see, the cloud provider is only responsible for monitoring and responding to security threats, vulnerabilities, and incidents related to their cloud services and underlying infrastructure. Your data and applications are outside of the cloud provider's responsibility. You may build applications from compliant services, but your application is not automatically compliant.
For example, Amazon DynamoDB is a third-party verified security-compliant service. However, using Amazon DynamoDB to store customer data does not mean you are automatically compliant. Your database security configuration may publicly expose DynamoDB data. You are responsible for addressing this security vulnerability and ensuring your security controls follow DynamoDB security best practices.
Use the cloud provider’s compliance documentation to determine what security controls are already in place. We provide the compliance documentation for the three major cloud providers below:
- Microsoft Azure – Azure compliance documentation
- Amazon Web Services (AWS) – Compliance Programs
- Google Cloud Platform (GCP) – Cloud Compliance & Regulations Resources
#3 Assess the current state of cloud security
The discovery of resources is a critical step in cloud security compliance. Assess your cloud resources against each of your required compliance standards. A given compliance standard may have multiple policies. You can measure your cloud resources against each policy to determine whether they are compliant or non-compliant.
For example, ISO 27017 is a security standard for organizations using the cloud. It provides best practice guidelines for information security management. These guidelines can be turned into policies required to meet the standard. An example from ISO 27017 is a Cryptographic Controls policy; a requirement is a maximum expiration date for SSL/TLS certificates of 2 years. Your SSL/TLS certificates can be measured against this requirement.
If your cloud resources span multiple accounts and providers, then a third-party compliance management platform is necessary to view your complete cloud inventory from one place. After your accounts are onboarded, you can assess your security compliance. The image shows an example of an assessment summary from CoreStack.
In Corestack, you can view your compliance by cloud account or policy.
You can further review individual compliance requirements. The following image shows an example of checking the “NS-2. Secure cloud services with network controls” security compliance control from the Microsoft cloud security benchmark.
As you can see, many storage accounts fail to comply with the NS-2 standard. You can apply an exemption if your organization does not require storage accounts to use a private link connection or restrict network access.
However, if no exemptions apply, you must review the processes you use to provision storage accounts. You can avoid security misconfigurations by automating the creation of storage accounts using Infrastructure-as-code templates.
#4 Implement security controls to plug gaps
Cloud security controls cover all the best practices, regulations, and guidelines to secure your cloud environments. You can implement the controls required to address gaps discovered in your assessment. Most security controls fall into four categories, as summarized below.
| Cloud security control category | Description |
|---|---|
| Deterrent controls | Deterrent controls work like a warning system to deter malicious actors. For example, making customers aware that their API activity is being monitored. Any abnormal activity results in negative consequences, e.g., blocking customer access. |
| Preventive controls |
Preventive controls remove security flaws. For example:
|
| Detective controls | Detective controls respond to security threats and events. An example is an intrusion detection tool that identifies abnormal network activity. Once detected, it triggers a corrective control, e.g., blocking the source IP address. |
| Corrective controls | Corrective controls restore your cloud environment's functionality to normal operations. They activate during a security breach. For example, if a malicious actor accesses your systems and deletes data, you reinstate a backup of the deleted data. |
Third-party tools can also recommend security controls for your cloud infrastructure. The image below shows an example from CoreStack that suggests the security controls that address your highest priority security standards.
#5 Implement continuous monitoring
You’re only as compliant as the last time you checked, which is why continuous monitoring is required. Without continuous monitoring you cannot ensure that your security controls are being continuously followed and a compliant state is being maintained. Cloud providers often have tools to monitor your cloud resources, such as Microsoft Defender for Cloud on Microsoft Azure, AWS Security Hub on AWS, or Security Command Center on Google Cloud.
However, monitoring your resources is challenging if your organization has multiple cloud accounts or uses various cloud providers. You must utilize the cloud provider's compliance tools in each cloud environment. It will be inefficient to repeat the assessment and remediation multiple times.
A third-party tool oversees affected resources from multiple cloud accounts and in various cloud providers to improve efficiency. For example, the CoreStack dashboard image below shows affected resources across multiple AWS accounts that violate an AWS S3 bucket security control policy.
Response
You must respond to cloud security compliance violations promptly. The image below shows CoreStack’s compliance posture dashboard for resources that violate the AWS Audit App Tier EC2 Instance using the IAM Roles policy. The remediation status column shows five states: Open, Skipped, Error, Success, and InProgress.
You should conduct regular security audits of your cloud environment to understand how well you respond to security incidents and compliance violations.
Documentation
All relevant employees should have access to your organization’s cloud security compliance program. Your employees are the first line of defense against security threats. Ensure that they are aware of what is expected from them. Do they understand the security risks associated with cloud computing? How do they know your specific cloud security compliance requirements?
A cloud security compliance tool that enables collaboration between your different teams helps your employees retain responsibility and be accountable for continuous compliance with their workloads. A compliance management platform with role-based access control (RBAC) enables sharing of security information across your organization. It is an appropriate way to document and track cloud security compliance. The image below shows an example of granting employees access to relevant documentation.
Image shows an example of using RBAC within a cloud security compliance tool from CoreStack.
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
Azure Native Tools |
✔
|
✔
|
✔
|
|
|
|
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Conclusion
Cloud security compliance is essential for organizations utilizing cloud services. It helps obtain the initial trust of customers and maintain it further. Make cloud security a part of your development processes, not something you review before going to production.
Start by understanding your cloud security compliance requirements and responsibilities vs. your cloud provider. Implement robust security controls in your cloud environment and review your organization's response to compliance violations. Cloud security is an ongoing process to protect your cloud environments from threats and ensure they remain compliant over time.
A cloud security compliance platform that integrates with multiple cloud providers can provide centralized visibility of your cloud resources. Look for features like continuous monitoring, automated remediation, and multi-cloud visibility. By combining the right tools and best practices, you will reap the benefits of cloud security compliance!
