Cloud service providers (CSPs) grew popular by making IaaS, PaaS, and SaaS resources available on demand, enabling organizations to gain unprecedented agility, flexibility, and scalability to deploy information systems. CSPs also created economies of scale for physical security and advanced security operations center (SOC) capabilities as a byproduct of doing business. It’s not feasible for a small and medium-sized enterprise (SME) to replicate what they can “rent.”
There’s a clear value proposition, but there’s no substitute for due diligence and accountability. Trusting a third party means that SMEs must accept trade-offs and what CSPs refer to as “shared responsibility” to maintain the confidentiality, integrity, and availability (CIA) of their information. Today, there are many intricacies involved with regulatory compliance, especially regionally, when data is stored or accessed in many different places.
Cloud compliance standards evolved to address these challenges. Admittedly, it’s become more complex than ever because many locales have established unique data privacy requirements, such as GDPR, NISD, and California’s Consumer Privacy Act. CSPs, however, make it easier to comply with the growing assortment of international, state, and local security regulations, laws, and standards.
That’s significant because an organization that doesn’t comply with these standards can face legal hurdles, fines, and other negative ramifications. Cloud providers won’t indemnify SMEs against all data breaches or noncompliance or circumvent every challenge by virtue of an all-inclusive security and privacy halo effect. But they can provide the tools to succeed, in combination with the steps SMEs take to ensure their compliance.
This post explores what cloud compliance is, the challenges that organizations might face in practice, and how to remain cloud compliant as the complexities and consequences increase.
How Is Compliance in the Cloud Different from On-Prem Compliance?
Today, many SMEs maintain a hybrid infrastructure, and there’s a growing number of cloud-based workplaces. The notion that there’s distinct “camps” is a false construct. Laws, including HIPAA and PCI DSS, are agnostic to where applications and data reside. However, there are multiple working groups developing standards for cloud services. Not every standard is most appropriate for every organization, and SMEs must evaluate the best fit.
The most commonly used standards are:
Some organizations evaluate their cloud compliance efforts through Service Organization Control Type 2 (SOC 2) reports. SOC 2 certification demonstrates that security and reporting controls are in place to protect data privacy.
This may appear complex, but cloud providers can perform the heavy lifting for SMEs. CSPs are consistently audited and disclose certifications and reports. There’s also pre-built documentation and compliance controls to accommodate sensitive workflows such as Private Health Information (PHI). SMEs are expected to architect their solutions by adhering to the guidance that’s provided.
Control and Security
Previously, compliance requirements at times prohibited organizations from utilizing cloud services, especially within tightly regulated sectors. Control over infrastructure was the sticking point, but it can be a red herring. The act of doing it yourself doesn’t guarantee better security, but some organizations prefer to retain full ownership of their infrastructure.
In that scenario, the entire burden of auditing, reporting, and responsibility for any security incidents falls on the SME (versus the protections CSPs implement and pass downstream to their customers). It’s important to determine what level of control is required and to understand which security controls must be present within each hosting paradigm.
In a cloud-based environment, the question of who controls the data between the organization and the CSP can be unclear. For example, the company is responsible for the data its employees create in public cloud ecosystems like Amazon Web Services (AWS). However, the cloud service vendor has ultimate control over data management in such an environment. Control isn’t the same as ownership and some legal measures have been established to avoid any doubt over digital ownership in favor of the content creator.
This can be reflected in the CSP’s terms of service, stating that the customer retains all intellectual property rights and ownership of data. CSPs may place a hold on data to comply with legal regulations. For example, they could pass the data to government agencies if requested, similar to how a court order would require access to a self-hosted infrastructure.
In an on-prem environment, security is paramount, especially for organizations with sensitive data, such as banking institutions or healthcare providers. To remain compliant, these organizations may opt for on-prem environments despite the benefits that cloud computing provides. The reasoning is that IT administrators maintain full control over their deployment and maintenance. There are pros and cons to this approach. People aren’t infallible and oversights can occur, irrespective of where apps are being deployed.
As previously noted, cloud providers undergo intensive audits and have marshaled together considerable resources to ensure CIA for their clients. It’s highly unlikely that an SME would have the funds or capacity to duplicate what a CSP can do in-house. For instance, a SOC reporting necessitates a multi-million dollar investment in people and technology.
Mainstream CSPs have adequate segmentation to isolate between cloud tenants and are sufficient for most use cases. Dedicated cloud services have emerged to fill in gaps for when a public cloud might be inadequate for groups such as defense and intelligence agencies. These CSPs adhere to the most stringent security standards for workloads that are subject to a high level of control. These standards are unlikely to involve an SME, but CSP implementations are available.
The most appropriate path for your enterprise, however, always depends on your unique requirements, resources, and what your organization is looking for in a compliance solution.
Common Cloud Compliance Challenges
Compliance with security standards can initially be challenging in a cloud-based setup because organizations must delineate where CSP responsibilities end, and their own obligations begin in a shared responsibility model. This governance failure can open up numerous vulnerabilities that attackers can exploit to attack the organization. It’s no different than team members failing to perform their duties on-premises. As such, organizations that opt for a cloud-based model must conduct due diligence and ensure that the CSP is compliant with different regulatory standards within their industry. Fortunately, CSPs are extremely transparent about compliance, and each has ecosystems of extensive resources to achieve successful cloud implementations.
Every regulation standard requires organizations and CSPs to provide adequate measures that protect their physical and information assets. However, meeting regulatory standards may be a challenge for organizations for the following reasons:
Lack of Network Visibility
Moving workloads to cloud-based environments means losing some of the controls that IT teams had with the on-prem environment. This is because CSPs may not grant the organization direct access to the shared IT infrastructure stack, allowing many cloud-based workloads to become “opaque containers.” This is especially true in multicloud systems where there’s no centralized monitoring solution available by default. For instance, it’s not possible to tap/SPAN a network to examine a packet dump. Some organizations are compelled to use a third-party solution to supply cloud-related network data.
Likewise, an organization may lack visibility into their on-premises architecture or have the required experience to analyze network data and produce findings that are actionable and timely.
Challenges with Shared Responsibility
Managing resources in an on-prem setup is straightforward because the organization assigns the responsibility to in-house IT teams. However, with cloud-based workloads, the responsibility is shared between the organization and the CSP. A CSP is responsible for the security of the cloud (facilities, network, hardware) while clients handle configurations in the cloud. In the cloud, security controls are necessary for the guest operating system (no different than self-hosted) and applications, in addition to network management and security tools that the CSP provides.
The boundaries of security obligations shift on the spectrum between IaaS, PaaS, and SaaS. The shared responsibility model may create confusion for organizations, especially where IT teams are unsure of their roles within the divided responsibilities.
Data Localization and Sovereignty Issues
Cloud computing services allow businesses to operate globally. Under such environments, creating local servers and storage systems that keep confidential data for processing according to data localization and sovereignty standards can be a challenge. CSPs have responded to data residency and sovereignty regulations by associating specific data retention policies with availability regions.
These laws also apply to self-hosted applications, in which case, an SME might be expected to maintain and operate a local data center. It’s a best practice to always review local laws and regulations prior to deploying services. Companies have cropped up exclusively to help SMEs navigate cloud risk and compliance.
Cloud Misconfiguration Challenges
An organization may fail to configure services properly regardless of where their applications reside. For example, IT teams may fail to turn on data encryption or activate multi-factor authentication (MFA) to secure local file sharing resources just as easily as they might misconfigure a cloud service. Failure to close a port on a firewall is no different than making the same mistake in the cloud. These oversights can expose the organization’s environment to multiple cybersecurity risks such as data exfiltration, phishing, and ransomware attacks.
An organization may fail to configure its cloud-based services properly, especially if operating in a multi-cloud environment. Here are some common errors:
- Failing to restrict in/outbound ports: This is no different than leaving gaps in your firewall configuration.
- Managing shared secrets poorly: Treat them as you would passwords.
- Failing to use the provided logging/monitoring solutions: Visibility and monitoring are important aspects of loud governance.
- Mishandling subdomains, leading to subdomain hijacking and risk of attacks: Validate your DNS records from time to time.
- Not hardening services by turning off outdated protocols: Cloud services aren’t all “set it and forget it.” Follow the same security best practices that you would on-premises.
- Making insecure, unencrypted backups: Always encrypt and manage access control.
- Having permissions mistakes and failing to manage entitlements for roles: Use the entitlement management tools that are at your disposal or deploy automated group memberships for a more mature posture.
- Not reviewing permissions regularly: This is especially important when you migrate to a CSP. Managing entitlements, permissions, and remediation planning are at the core of Zero Trust security for the cloud.
How To Ensure Cloud Compliance
Cloud compliance requirements usually vary depending on the industry you’re operating in and the regulations that guide your business. Nevertheless, cloud compliance management is essential. Let’s dive into the issues that you need to put into perspective to ensure cloud compliance, from your data, infrastructure, and apps to users and endpoints.
Consider hiring an external resource to audit your cloud configurations for missteps. In lieu of that step, conduct a self-audit to assess compliance program effectiveness. There are many free online guides and toolkits available for this purpose. Some business events (such as an IPO) will trigger an SOC 2 type audit, so preparation and planning are always recommended.
Changing Laws and Regulations
Compliance isn’t a destination; it’s a process. It’s a moving target, especially in IT, where technology evolves rapidly. New laws and regulations—global, federal, state, or local levels—can present challenges that IT teams must address quickly. Virtually every organization now operates under some form of regulation, regardless of the industry, with the most common ones being GDPR, HIPAA, and PCI DSS. Also, be aware of the relevant data privacy and protection laws that apply to your organization’s data.
Standards from organizations such as ISO cover the processing of personal data in the cloud and track against the key objectives of regulators in large markets such as the European Commission. The selection of a CSP is another important aspect of meeting legal obligations, especially if your organization is branching out into other regions.
There are no constraints that prohibit SMEs from adopting cloud services; CSPs help SMEs ensure compliance with regulatory requirements.
Control Remote and Hybrid Environments
Today’s IT infrastructures have increased in complexity, especially with emerging remote and hybrid workplaces that require employees to access enterprise resources through heterogeneous endpoints. For example, many modern IT environments contain Windows, Linux, and macOS operating systems (OSs). Accessing IT resources from unmanaged devices introduces attack surface area risks.
The processes and systems within these environments need to be deployed anywhere across any system while adhering to compliance standards that specify controls such as MFA, vulnerability and patch management, and drive encryption. This complexity, coupled with on-demand everywhere access capabilities, complicates the processes of securing distributed workplace environments. Modern device management platforms provide cross-OS support to centralize relevant management functions.
The bring-your-own-device (BYOD) phenomenon can be valuable and cost-effective IT strategies that an organization can employ. However, they can also adversely affect the best-laid plans if the organization doesn’t implement proper controls. Any disconnect or lack of strategy regarding BYOD could lead to:
- Compliance challenges arising from the lack of an effective strategy, such as adequate employee training.
- Loss of visibility and control of data from unsupported endpoint processes and storage of an enterprise’s data.
- Potential disclosure of the organization’s information or data leaks from unsanctioned devices due to hacking or other cyber-related threats.
Mobile device management (MDM) can help organizations to establish security baselines to reduce the risk of using employee-owned devices to access company resources.
Using JumpCloud for IT Compliance
Transitioning from on-prem IT infrastructure to cloud-based services provides organizations with the convenience and flexibility to scale their resources as needed, cost-effectively. However, it also changes the scope of compliance and reporting requirements. Fortunately, the entire multi-tenant cloud environment doesn’t fall within the scope of individual audits.
The customer environment and the provider-managed environment and processes (the “in the cloud” portion) are subject to audits, and controls are prescribed including penetration testing, network vulnerability scanning, entitlements management, and identity and access management (IAM). Per PCI, “any devices (e.g., physical router on premises, cloud gateway, or peering transit networks, etc.) used to facilitate the connection, is secured and managed.”
JumpCloud’s open directory platform helps with compliance, because it extends what’s possible from existing business systems with features such as Zero Trust controls, device management, and even reporting for AWS. This helps organizations meet compliance obligations in the cloud, for endpoints and behind the firewall. Some of the capabilities that align with common compliance controls are:
- Easy-to-use identity lifecycle management (ILM) that leverages automation and employee HRIS data to continually monitor group memberships and permissions.
- Access controls, including push MFA across every supported protocol (SAML, OIDC, RADIUS, and LDAP) and conditional rules that increase security to protect the most sensitive resources.
- Delegated authentication to secure Wi-Fi and VPN logins, using existing Microsoft identities.
- Device management, including policies such as full disk encryption (FDE), patching, and MDM to deliver device trust.
- Cloud Insights for AWS, Directory Insights, and Systems Insights reporting tools for documentation purposes, visibility into events, and what users are doing. There is a growing collection of pre-built reports as well as scheduling options.
- Software management can be used to deploy approved apps that meet your supply chain standards. Single sign-on (SSO) provides access to your resources without exposing passwords over the wire, and SCIM provisioning can assist with authorization. JumpCloud extends SSO for best-of-breed applications, across cloud services. This helps to limit the possibility of Shadow IT while ensuring that employees have the tools that they require.
- Password management to ensure compliant environments.
IT Compliance: As Painless As Enforce, Prove, Repeat.
Ready to start getting compliant? JumpCloud’s IT Compliance Quickstart Guide was designed to get IT professionals the resources they need to prepare for an audit or shore up their IT security baseline. Visit the IT Compliance Quickstart Guide now.