What is cloud compliance?
Cloud compliance is the series of procedures, controls, and organizational measures you need to have in place to ensure your cloud-based assets meet the requirements of the data protection regulations, standards, and frameworks that are relevant to your organization.
The regulatory requirements themselves are generally the same whether you host your data on-premises or in the cloud. However, these two environments are completely different from one another and therefore the steps you should take to meet such requirements are also completely different. This is down to the dynamic and more complex nature of the cloud, which requires a new and different approach to data governance.
On top of this, it's important to bear in mind that cloud compliance is a distinctly different discipline from cybersecurity. Compliance is a box-ticking exercise whereas cybersecurity is the implementation of organizational and technical controls that are specific to your own organization, the data it stores and processes, and the technologies it uses.
Furthermore, compliance is often much wider in scope. For example, cybersecurity is just one component of the General Data Protection Regulation (GDPR), which includes a range of other provisions, such as the rights of data subjects and limitations on what you do with their data and how long you may store it.
In view of the wide range of different data protection laws and standards that apply to today's data-driven organizations and the new data protection challenges that a move to the cloud presents, the significance of cloud compliance has become greater than ever.
Who is responsible for cloud compliance?
When you host your workloads in your on-premises data center, you are accountable for virtually all aspects of security and compliance. But in the cloud, it's an altogether different story, as you relinquish some of this responsibility to the cloud provider.
In other words, cloud compliance is a shared responsibility. But who exactly is accountable for what?
To help customers understand the demarcation between responsibilities, each of the leading cloud service providers (CSPs) provides a set of guidelines, known as a shared responsibility model. These are by and large very similar, where the:
CSP's responsibilities include the security of its data centers, IT infrastructure, hypervisors, and host operating systems, along with the task of ensuring the availability and reliability of the services it provides to customers.
Customer's responsibilities include the configuration of the cloud services it uses, along with the security and compliance of guest operating systems and the applications it hosts on the vendor's platform.
Cloud Governance
Cloud governance and cloud compliance are integral aspects of managing cloud resources effectively. Cloud governance encompasses the establishment of policies, procedures, and controls to align the use of cloud services with an organization's objectives, ensuring regulatory compliance, and adhering to best practices. It involves the development and implementation of guidelines for cloud resource utilization, emphasizing monitoring and auditing to guarantee ongoing adherence to established standards.
On the other hand, cloud compliance focuses specifically on meeting legal, regulatory, and industry-specific requirements within the cloud environment. It involves addressing areas such as data security, privacy, regulatory obligations, and compliance with service level agreements (SLAs) with cloud service providers.
The relationship between cloud governance and compliance lies in their alignment, as governance frameworks often include policies that directly address compliance needs, and governance mechanisms enforce these policies to ensure adherence to external standards and regulations. Both governance and compliance efforts contribute to effective risk management in the cloud environment, emphasizing the identification and mitigation of potential issues.
Regulations
Below we cover the most important cloud compliance regulations and frameworks, including:
General Data Protection Regulation (GDPR)
A data privacy law designed to protect the personal data of citizens of the European Economic Area (EEA). GDPR covers anyone who is resident within the territorial boundaries of the EU, along with Norway, Iceland, and Liechtenstein, at the time of data collection.
Although the GDPR is European legislation, it is still global in territorial scope. This is because it applies to any organization that serves EEA residents or processes their data as a routine part of its business operation.
The cybersecurity requirements of the GDPR are very loosely defined, merely stating that you should give personal data appropriate levels of protection in line with the risk to that data and the cost of implementation. This highlights the importance of responsibility and accountability for the security of your cloud-based deployments—through clear data governance policies, measures, and procedures that help demonstrate compliance.
And don't forget that the GDPR covers far more than just cybersecurity. For example, you'll need to consider:
Data minimization: You should only collect personal data that's actually necessary to fulfill your purpose.
Storage limitation: You should store it for no longer than necessary.
Data residency: You should only process and store it within the EEA—unless the data subject has consented or data transfer to a third country meets very specific GDPR requirements.
Right of access: You must comply with requests from data subjects for a copy of the personal data you hold about them.
Right of erasure: Under certain circumstances, you must also delete the personal data of any individual that requests you to do so.
Since leaving the EU, the UK has adopted its own implementation of the GDPR, which is virtually the same as its EU counterpart.
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) aims to protect Europe's financial sector from cyber disruptions and attacks by creating a uniform ICT risk management framework. The act is estimated to affect over 22,000 financial entities and ICT providers, including banks, insurers, and cloud services.
The main goals of DORA are to:
create a comprehensive ICT risk management framework
conduct regular risk assessments
ensure that all major ICT incidents are promptly reported to authorities
DORA: Everything You Need to Know
In this whitepaper, discover the ins and outs of this new set of regulations that applies to over 22,000 organizations in the European Union (EU).
Download Whitepaper
Federal Information Security Management Act (FISMA)
FISMA is U.S. legislative framework that federal agencies, along with private companies serving the public sector, must adopt to protect governmental information under their care. It is built on the foundation of FIPS 199, FIPS 200, and NIST SP 800-53, where you would use:
FIPS 199 to categorize your information and information systems based upon the potential impact (low, moderate, or high) in the event of loss of confidentiality, integrity, or availability.
FIPS 200 to determine the security objectives of your organization based on your FIPS 199 assessment.
The results of your FIPS 199 and FIPS 200 assessments to select the appropriate NIST SP 800-53 baseline security controls that apply to your organization.
Although only applicable to federal agencies and their contractors, FISMA compliance is beneficial to any other organization, as it can open up new doors to business with governmental bodies.
Health Insurance Portability and Accountability Act (HIPAA)
Known as the HIPAA Security Rule, this set of national compliance standards is intended to protect sensitive patient healthcare information across the United States. The rule forms part of the wider goals of the HIPAA, such as to streamline healthcare administration and ensure uninterrupted health insurance coverage for employees who lose or change their job.
The HIPAA covers any organization that directly handles personal health information, such as healthcare providers, health insurance companies, and associated billing services.
Sarbanes-Oxley Act (SOX)
SOX is a federal law aimed at protecting shareholders, employees, and members of the public from negligent or fraudulent accounting and financial practices.
The act primarily focuses on regulation of financial reporting, internal auditing procedures, and other business practices at public companies. However, it also includes compliance requirements in relation to information technology. For example, you need to monitor logs and maintain a full audit trail of user activity involving sensitive data. In addition, it includes a limited range of data security, availability, and other access controls.
Standards and frameworks
Payment Card Industry Data Security Standard (PCI DSS)
A contractual standard, which applies to any organization that accepts or processes card payments. PCI DSS is designed to help ensure the security of sensitive cardholder data. It is administered by the PCI Standards Council—a body of leading payment industry stakeholders.
The framework comprises a series of technical and operational requirements, including provisions for firewalls, encryption, and access control.
To help merchants and service providers understand these requirements in the context of the cloud, the PCI Standards Council has published an online guide about the impact of cloud computing on PCI DSS compliance. This includes an example shared responsibility matrix, which serves as a starting point to understanding the way in which compliance obligations may be shared between the customer and provider of cloud services.
National Institute of Standards and Technology (NIST SP 800-53)
This library of technical and operational controls aims to protect the integrity, confidentiality, and security of information systems. It is mandatory for U.S. governmental bodies and contractors with access to federal systems, serving as a core component of the FISMA. Moreover, it underpins the entire cascade of different frameworks that support FISMA compliance.
In simple terms, NIST SP 800-53 is broken down into different categories of baseline controls, which you select on the basis of risk to data.
Federal Risk and Authorization Management Program (FedRAMP)
This streamlined version of the FISMA is specifically adapted to governmental use of cloud service providers (CSPs).
It is guided by the shared responsibility model of the cloud, whereby it separates requirements into two sets of controls—one for the CSP and the other for the federal agency or contractor using its services. This simplifies FISMA compliance and helps avoid unnecessary duplication of security objectives.
To ensure full compliance, the federal agency or contractor must both use a CSP with FedRAMP authorization and meet its own FedRAMP obligations.
System and Organization Controls 2 (SOC 2)
A voluntary compliance framework, SOC 2 helps service organizations provide assurance to customers that they have appropriate measures in place to protect sensitive data under their control. SOC 2 attestation is a necessity for many outsourced services in the United States, where customers often require it as part of contractual agreements.
You must pass an annual independent audit of your security posture to maintain SOC 2 compliance. Evaluation is based around five broad categories of controls—security, availability, processing integrity, confidentiality, and privacy.
Center for Internet Security Critical Security Controls (CIS Controls)
A voluntary set of essential security controls that organizations should implement as a priority. CIS Controls are designed as a starting point for hardening systems. This is because they focus on measures that make the most effective and most immediate impact. They are particularly useful to IT departments with limited security resources and expertise.
Summary of key data protection regulations and standards
| Regulation or Framework | Applies to | Scope | Territorial Scope | Compliance Responsibility |
|---|---|---|---|---|
| GDPR | Any organization that processes data about EEA citizens | Data security and availability, handling of personal data, and rights of data subjects | Anywhere in the world | Mandatory |
| FISMA | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of data on federal systems | United States | Mandatory |
| HIPAA Privacy Rule | Healthcare providers, health insurance companies, and associated billing services | Security and privacy of healthcare information | United States | Mandatory except where state law takes precedence |
| SOX | Publicly traded companies | Largely financial and business practices, but also covers IT controls | United States | Mandatory for public companies although some requirements also apply to private companies and non-profit organizations |
| PCI DSS | Any organization that accepts or processes card payments | Data security | Anywhere in the world | Contractual |
| NIST SP 800-53 | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of federal data | United States | Mandatory |
| FedRAMP | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of federal data processed or stored in the cloud | United States | Mandatory |
| SOC 2 | Mainly SaaS vendors, companies that provide analytics and business intelligence services, financial institutions, and other organizations that store sensitive customer information | Data security, availability, processing integrity, confidentiality, and privacy | Globally recognized but mainly adopted in United States | Voluntary |
| CIS Controls | Organizations of any size and in any industry sector | Data security | Globally recognized | Voluntary |
Cloud compliance by CSP
Compliance programs
At the outset of your cloud compliance initiative, you'll need to ensure your CSP is able to meet its side of the shared responsibility bargain. Given the sheer number of regulations and standards that may affect your organization, this vetting process may seem like a formidable undertaking.
However, each of the big three vendors – AWS, Microsoft Azure, and Google Cloud Platform – provides an online compliance portal to help customers check that their platforms have the appropriate certification, attestation, or alignment they require.
Furthermore, they make it easy for you to review their compliance offerings by grouping them into different categories, such as industry sectors and territorial regions.
Compliance tools
Each vendor also offers a number of other in-house services to support and help demonstrate compliance. These include:
AWS Artifact: A self-service portal that gives on-demand access to the vendor's compliance documentation and agreements. This provides a quick and efficient way for customers to assess the compliance of the AWS services they use and obtain evidence of appropriate vendor controls that they may need to provide to auditors or regulators.
AWS Audit Manager: A solution that continuously audits the controls you've implemented in your guest AWS environments for compliance with a wide variety of different regulations and standards.
Azure Blueprints: A resource template service for creating and managing environments that comply with predefined standards and requirements. The blueprints are essentially packaged sets of artifacts for deploying fully governed environments on the Azure platform.
Azure Policy: A centralized policy management service through which you can create and maintain rulesets that ensure services are configured with default allow and deny resource properties. It can also alert you whenever resources deviate from policy rules and automatically remediate compliance violations.
Google Assured Workloads: A tool that supports compliance by automatically applying controls to workloads so that they meet the requirements of specified regulatory frameworks. For example, it will only allow you to host data in cloud regions within the territory boundaries permitted by the compliance program you've selected. It also configures the appropriate encryption services as required by law and enforces access controls in line with data sovereignty requirements.
Cloud regions
In addition to the GDPR, many other data protection regulations across the world include data residency requirements governing where you may store and process personal information about data subjects.
So you'll need to ensure your CSP offers a data center presence in those countries permitted by law. If you choose to host your workloads on one of the big three cloud vendor platforms then this should be relatively straightforward, as they now have a combined total of more than 130 data center regions around the globe.
Essential cloud compliance best practices
Let's review some essential best practices to ensure the security, compliance, and efficient management of your cloud environment. The practices are categorized into three main areas:
1. Data Security
Ensuring the confidentiality, integrity, and availability of data stored in the cloud.
Data Classification and Governance:
Implement data classification schemes to categorize data based on sensitivity and regulatory requirements.
Develop and enforce data governance policies that dictate how data is handled, stored, and accessed.
Encryption and Key Management:
Encrypt data at rest and in transit using strong encryption standards (e.g., AES-256) to protect sensitive information.
Manage encryption keys securely, ensuring only authorized personnel have access, and use robust key management practices.
Access Control and Identity Management:
Enforce least privilege access policies, ensuring users have only the minimum access necessary to perform their roles.
Utilize multi-factor authentication (MFA) to add an additional layer of security for accessing cloud services.
2. Configuration Management
The process of maintaining systems, servers, and software in a desired, consistent state.
Secure API Use:
Ensure APIs interfacing with cloud services are securely designed, with strong authentication and encryption for data in transit.
Regularly review and update API access policies to reflect changes in user roles or services.
Patch Management:
Implement an effective patch management process to ensure all software and infrastructure components are up-to-date with the latest security patches.
Network Configuration and Segmentation:
Configure cloud network settings to enforce security policies, including firewalls, intrusion detection systems, and other perimeter defenses.
Use network segmentation to isolate sensitive data and systems, reducing the potential impact of a breach.
3. Strategy & Monitoring
Overarching practices and procedures for managing and overseeing cloud security and compliance.
Compliance and Regulatory Awareness:
Stay informed about relevant regulations and compliance requirements specific to your industry and regions of operation, such as GDPR, HIPAA, or PCI-DSS.
Understand the shared responsibility model in cloud computing, clearly delineating the security responsibilities between your organization and the cloud service provider (CSP).
Security Assessments and Audits:
Conduct regular security assessments, including vulnerability scans and penetration testing, to identify and mitigate potential security gaps.
Perform compliance audits to ensure ongoing adherence to internal policies and external regulations. Maintain audit trails and logs for accountability and forensic analysis.
Employee Training and Awareness:
Provide regular training on security best practices, compliance requirements, and emerging threats to all employees.
Foster a culture of security awareness, emphasizing the importance of every individual’s role in maintaining compliance and data protection.
Incident Response:
Develop and maintain a documented incident response plan that outlines procedures for detecting, containing, eradicating, and recovering from security incidents.
Regularly test the incident response plan to ensure its effectiveness.
Cloud Provider Specifics:
While many best practices are common across cloud providers (AWS, Azure, GCP), some may have slight variations in implementation or utilize unique security features.
Familiarize yourself with your specific cloud provider's security documentation and best practices.
What to look for in a cloud compliance solution
Cloud compliance is no easy challenge given the complexity of cloud-based environments and the sheer number of different regulations and standards that can potentially determine your own individual set of controls.
The good news is that many of the requirements are basically the same—with a strong overlap between different frameworks. Nevertheless, keeping track of both overlapping responsibilities and those that are unique to specific frameworks is a formidable and time-consuming manual undertaking.
So how do you overcome this challenge? How do you avoid duplicating your compliance efforts? How do you map the technical composition of your cloud to your compliance posture? And how do you streamline your compliance endeavors across a complex multicloud implementation?
That's where third-party compliance tools can help.
They're designed to continuously monitor and benchmark your cloud deployments against a wide range of compliance frameworks. For example, they should be able to check whether you have appropriate network security controls in place to protect payment cardholder data—in line with Requirement 1 of PCI DSS. They should also assess the security posture of complex cloud-based deployments, such as containerized workloads, as necessary to help meet the latest requirements of technical frameworks such as the CIS Controls. However, these are just two of literally hundreds of built-in checks that come as part of a highly developed continuous compliance platform.
However, benchmarking isn't the only feature you should look for in a cloud compliance solution.
In addition, it should offer a way to build custom frameworks so you can comply with your own internal requirements or those of other organizations in the software supply chain.
It should also integrate with messaging and ticketing platforms to automatically route issues to the right teams. And it should provide automated remediation capabilities so you can quickly and efficiently fix common and persistent misconfigurations.
Finally, it should provide a full range of assessment reports—from detailed granular information to high-level executive overviews. That way, everyone in your organization will have the insights they need to keep track of your compliance posture.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
