Why Cloud Compliance Doesn’t Need To Be So Overly Complicated

Cloud Compliance 

Regulatory compliance is an issue that has not only weighed heavily on the minds of executives, security and audit teams, but also today, even end users. Public cloud adds more complexity when varying degrees of infrastructure (depending on the cloud model) and data fall out of the hands of the company and into the hands of the service provider. Additionally, the lines of responsibility between the service provider and the consumer remain blurred in most regulations, standards and frameworks though cloud has gone mainstream for even regulated workloads. However, in this era of business agility out we not to focus more on ways to relieve cloud audit burden?

It’s all About the Data

With end user digital empowerment and increased business agility it’s only to be expected that more rogue cloud services will abound. That’s where a more data-centric approach can reduce the risk of compliance violations of data being transacted or residing in rogue cloud services. In this data-centric approach users need to be:

1. Proactively educated about the value of data. Many when they provision rogue cloud services are often not aware of the value of the company data that they are farming out to public cloud models

2. Able to leverage an intuitive data classification scheme and easily digitally tag or watermark data accordingly

Organizations can also leverage one of the many cloud security brokers for the discovery, analysis and many of the policy enforcement aspects of their data across public Software as a Service cloud models.

Standards Evolution

Standards issuers have begun providing more concrete guidance and standards for cloud Service Providers and consuming organizations alike The International Organization for Standardization ISO/IEC 27018:2014 establishes controls and guidelines in for protecting Personally Identifiable Information (PII) in public clouds. The Payment Industry Data Security Standard (PCI DSS) Council has also issued guidance and so has the National Institute of Technology and Standards (NIST), with its Federal Risk and Authorization Management Program (FedRAMP). FedRAMP goes one step further in requiring service providers to obtain authorization in order to meet federal cybersecurity requirements for cloud services.

Harmonizing Compliance Efforts

Harmonizing regulations and standards to a common security framework can greatly benefit both cloud providers and consuming organizations. Cloud users no longer need to think of standards in a “one off” manner, but instead utilize a framework to essentially “audit once, report many times” given the great overlap between many of the standards, frameworks and regulations today.

The Cloud Security Alliance Cloud Controls Matrix cross maps several internationally recognized industry and regulatory standards against 16 domains based on critical areas of focus for cloud computing and while not intended to be a prescriptive framework, it has emerged as concrete guidance for all parties. The Cloud Controls Matrix also recognizes that controls apply differently across different environments and delineates controls not only by cloud model type (SaaS, PaaS, IaaS), but also recommends which fall under the service provider’s realm of responsibility versus the consuming organizations’.

As cloud audit processes mature, there is an opportunity to further streamline compliance and decrease complexity. A digitized cross mapping tool would be the next evolution and a great asset to both cloud providers and consuming organizations alike.

By Evelyn de Souza

JK Chelladurai
Maintain telecom tax compliance The Telecommunications industry is one of the most heavily taxed service industries. In countries such as the United States, providers have to keep on top of Federal, State, and District taxes, ...
Jim Fagan
Subsea Connectivity Digital transformation and the migration of data and applications to the cloud is a global phenomenon. While we may like to think that the cloud knows no borders, the reality is that geopolitics ...
Louis
Why Services CPQ Is Too Slow Today When PS organizations compete in sales cycles, the first competitor to have a complete quote with accurate pricing, schedules, and an engagement plan will often win. However, getting ...
Gilad David Maayan
What Is Application Dependency Mapping? Modern software development teams use fast-paced DevOps work processes. However, the complexity of modern software applications often gets in the way. A typical enterprise software project has thousands of components, ...
Dan Teichman
Cloud-Native Communications Historically, Communication Service Providers (CSPs) networks ran on purpose-built hardware. However, in the early 2000s organizations started to update their infrastructure, moving to virtualization. Now, providers are looking to take the next step, ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.