What is cloud compliance?
Cloud compliance is the series of procedures, controls, and organizational measures you need to have in place to ensure your cloud-based assets meet the requirements of the data protection regulations, standards, and frameworks that are relevant to your organization.
The requirements themselves are generally the same whether you host your data on-premises or in the cloud. However, these two environments are completely different from one another and therefore the steps you should take to meet such requirements are also completely different. This is down to the dynamic and more complex nature of the cloud, which requires a new and different approach to data governance.
On top of this, it's important to bear in mind that cloud compliance is a distinctly different discipline from cybersecurity. Compliance is a box-ticking exercise whereas cybersecurity is the implementation of organizational and technical controls that are specific to your own organization, the data it stores and processes, and the technologies it uses.
Furthermore, compliance is often much wider in scope. For example, cybersecurity is just one component of the General Data Protection Regulation (GDPR), which includes a range of other provisions, such as the rights of data subjects and limitations on what you do with their data and how long you may store it.
In view of the wide range of different data protection laws and standards that apply to today's data-driven organizations and the new data protection challenges that a move to the cloud presents, the significance of cloud compliance has become greater than ever.
Who is responsible for cloud compliance?
When you host your workloads in your on-premises data center, you are accountable for virtually all aspects of security and compliance. But in the cloud, it's an altogether different story, as you relinquish some of this responsibility to the cloud provider.
In other words, cloud compliance is a shared responsibility. But who exactly is accountable for what?
To help customers understand the demarcation between responsibilities, each of the leading cloud service providers (CSPs) provides a set of guidelines, known as a shared responsibility model. These are by and large very similar, where the:
CSP's responsibilities include the security of its data centers, IT infrastructure, hypervisors, and host operating systems, along with the task of ensuring the availability and reliability of the services it provides to customers.
Customer's responsibilities include the configuration of the cloud services it uses, along with the security and compliance of guest operating systems and the applications it hosts on the vendor's platform.
Below we cover the most important cloud compliance regulations and frameworks, including:
Regulations
General Data Protection Regulation (GDPR)
A data privacy law designed to protect the personal data of citizens of the European Economic Area (EEA). GDPR covers anyone who is resident within the territorial boundaries of the EU, along with Norway, Iceland, and Liechtenstein, at the time of data collection.
Although the GDPR is European legislation, it is still global in territorial scope. This is because it applies to any organization that serves EEA residents or processes their data as a routine part of its business operation.
The cybersecurity requirements of the GDPR are very loosely defined, merely stating that you should give personal data appropriate levels of protection in line with the risk to that data and the cost of implementation. This highlights the importance of responsibility and accountability for the security of your cloud-based deployments—through clear data governance policies, measures, and procedures that help demonstrate compliance.
And don't forget that the GDPR covers far more than just cybersecurity. For example, you'll need to consider:
Data minimization: You should only collect personal data that's actually necessary to fulfill your purpose.
Storage limitation: You should store it for no longer than necessary.
Data residency: You should only process and store it within the EEA—unless the data subject has consented or data transfer to a third country meets very specific GDPR requirements.
Right of access: You must comply with requests from data subjects for a copy of the personal data you hold about them.
Right of erasure: Under certain circumstances, you must also delete the personal data of any individual that requests you to do so.
Since leaving the EU, the UK has adopted its own implementation of the GDPR, which is virtually the same as its EU counterpart.
Federal Information Security Management Act (FISMA)
FISMA is U.S. legislative framework that federal agencies, along with private companies serving the public sector, must adopt to protect governmental information under their care. It is built on the foundation of FIPS 199, FIPS 200, and NIST SP 800-53, where you would use:
FIPS 199 to categorize your information and information systems based upon the potential impact (low, moderate, or high) in the event of loss of confidentiality, integrity, or availability.
FIPS 200 to determine the security objectives of your organization based on your FIPS 199 assessment.
The results of your FIPS 199 and FIPS 200 assessments to select the appropriate NIST SP 800-53 baseline security controls that apply to your organization.
Although only applicable to federal agencies and their contractors, FISMA compliance is beneficial to any other organization, as it can open up new doors to business with governmental bodies.
Health Insurance Portability and Accountability Act (HIPAA)
Known as the HIPAA Security Rule, this set of national standards is intended to protect sensitive patient healthcare information across the United States. The rule forms part of the wider goals of the HIPAA, such as to streamline healthcare administration and ensure uninterrupted health insurance coverage for employees who lose or change their job.
The HIPAA covers any organization that directly handles personal health information, such as healthcare providers, health insurance companies, and associated billing services.
Sarbanes-Oxley Act (SOX)
SOX is a federal law aimed at protecting shareholders, employees, and members of the public from negligent or fraudulent accounting and financial practices.
The act primarily focuses on regulation of financial reporting, internal auditing procedures, and other business practices at public companies. However, it also includes compliance requirements in relation to information technology. For example, you need to monitor logs and maintain a full audit trail of user activity involving sensitive data. In addition, it includes a limited range of data security, availability, and other access controls.
Assess your cloud compliance posture in minutes
With Wiz, you can assess your compliance posture across industry standards and business units at a glance to immediately pinpoint your weak spots.
Read more
Standards and frameworks
Payment Card Industry Data Security Standard (PCI DSS)
A contractual standard, which applies to any organization that accepts or processes card payments. PCI DSS is designed to help ensure the security of sensitive cardholder data. It is administered by the PCI Standards Council—a body of leading payment industry stakeholders.
The framework comprises a series of technical and operational requirements, including provisions for firewalls, encryption, and access control.
To help merchants and service providers understand these requirements in the context of the cloud, the PCI Standards Council has published an online guide about the impact of cloud computing on PCI DSS compliance. This includes an example shared responsibility matrix, which serves as a starting point to understanding the way in which compliance obligations may be shared between the customer and provider of cloud services.
National Institute of Standards and Technology (NIST SP 800-53)
This library of technical and operational controls aims to protect the integrity, confidentiality, and security of information systems. It is mandatory for U.S. governmental bodies and contractors with access to federal systems, serving as a core component of the FISMA. Moreover, it underpins the entire cascade of different frameworks that support FISMA compliance.
In simple terms, NIST SP 800-53 is broken down into different categories of baseline controls, which you select on the basis of risk to data.
Federal Risk and Authorization Management Program (FedRAMP)
This streamlined version of the FISMA is specifically adapted to governmental use of cloud service providers (CSPs).
It is guided by the shared responsibility model of the cloud, whereby it separates requirements into two sets of controls—one for the CSP and the other for the federal agency or contractor using its services. This simplifies FISMA compliance and helps avoid unnecessary duplication of security objectives.
To ensure full compliance, the federal agency or contractor must both use a CSP with FedRAMP authorization and meet its own FedRAMP obligations.
System and Organization Controls 2 (SOC 2)
A voluntary compliance framework, SOC 2 helps service organizations provide assurance to customers that they have appropriate measures in place to protect sensitive data under their control. SOC 2 attestation is a necessity for many outsourced services in the United States, where customers often require it as part of contractual agreements.
You must pass an annual independent audit of your security posture to maintain SOC 2 compliance. Evaluation is based around five broad categories of controls—security, availability, processing integrity, confidentiality, and privacy.
Center for Internet Security Critical Security Controls (CIS Controls)
A voluntary set of essential security controls that organizations should implement as a priority. CIS Controls are designed as a starting point for hardening systems. This is because they focus on measures that make the most effective and most immediate impact. They are particularly useful to IT departments with limited security resources and expertise.
Summary of key data protection regulations and standards
| Regulation or Framework | Applies to | Scope | Territorial Scope | Compliance Responsibility |
|---|---|---|---|---|
| GDPR | Any organization that processes data about EEA citizens | Data security and availability, handling of personal data, and rights of data subjects | Anywhere in the world | Mandatory |
| FISMA | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of data on federal systems | United States | Mandatory |
| HIPAA Privacy Rule | Healthcare providers, health insurance companies, and associated billing services | Security and privacy of healthcare information | United States | Mandatory except where state law takes precedence |
| SOX | Publicly traded companies | Largely financial and business practices, but also covers IT controls | United States | Mandatory for public companies although some requirements also apply to private companies and non-profit organizations |
| PCI DSS | Any organization that accepts or processes card payments | Data security | Anywhere in the world | Contractual |
| NIST SP 800-53 | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of federal data | United States | Mandatory |
| FedRAMP | Federal agencies and their contractors, along with any CSPs they use | Security and privacy of federal data processed or stored in the cloud | United States | Mandatory |
| SOC 2 | Mainly SaaS vendors, companies that provide analytics and business intelligence services, financial institutions, and other organizations that store sensitive customer information | Data security, availability, processing integrity, confidentiality, and privacy | Globally recognized but mainly adopted in United States | Voluntary |
| CIS Controls | Organizations of any size and in any industry sector | Data security | Globally recognized | Voluntary |
Cloud compliance by CSP
Compliance programs
At the outset of your cloud compliance initiative, you'll need to ensure your CSP is able to meet its side of the shared responsibility bargain. Given the sheer number of regulations and standards that may affect your organization, this vetting process may seem like a formidable undertaking.
However, each of the big three vendors – AWS, Microsoft Azure, and Google Cloud Platform – provides an online compliance portal to help customers check that their platforms have the appropriate certification, attestation, or alignment they require.
Furthermore, they make it easy for you to review their compliance offerings by grouping them into different categories, such as industry sectors and territorial regions.
Compliance tools
Each vendor also offers a number of other in-house services to support and help demonstrate compliance. These include:
AWS Artifact: A self-service portal that gives on-demand access to the vendor's compliance documentation and agreements. This provides a quick and efficient way for customers to assess the compliance of the AWS services they use and obtain evidence of appropriate vendor controls that they may need to provide to auditors or regulators.
AWS Audit Manager: A solution that continuously audits the controls you've implemented in your guest AWS environments for compliance with a wide variety of different regulations and standards.
Azure Blueprints: A resource template service for creating and managing environments that comply with predefined standards and requirements. The blueprints are essentially packaged sets of artifacts for deploying fully governed environments on the Azure platform.
Azure Policy: A centralized policy management service through which you can create and maintain rulesets that ensure services are configured with default allow and deny resource properties. It can also alert you whenever resources deviate from policy rules and automatically remediate compliance violations.
Google Assured Workloads: A tool that supports compliance by automatically applying controls to workloads so that they meet the requirements of specified regulatory frameworks. For example, it will only allow you to host data in cloud regions within the territory boundaries permitted by the compliance program you've selected. It also configures the appropriate encryption services as required by law and enforces access controls in line with data sovereignty requirements.
Cloud regions
In addition to the GDPR, many other data protection regulations across the world include data residency requirements governing where you may store and process personal information about data subjects.
So you'll need to ensure your CSP offers a data center presence in those countries permitted by law. If you choose to host your workloads on one of the big three cloud vendor platforms then this should be relatively straightforward, as they now have a combined total of more than 130 data center regions around the globe.
What to look for in a cloud compliance solution
Cloud compliance is no easy challenge given the complexity of cloud-based environments and the sheer number of different regulations and standards that can potentially determine your own individual set of controls.
The good news is that many of the requirements are basically the same—with a strong overlap between different frameworks. Nevertheless, keeping track of both overlapping responsibilities and those that are unique to specific frameworks is a formidable and time-consuming manual undertaking.
Compliance made easy with Wiz
Stay compliant with Wiz’s 100+ compliance frameworks, generate quick compliance reports, and remediate issues faster with remediation guidance and auto-remediation.
Read more
So how do you overcome this challenge? How do you avoid duplicating your compliance efforts? How do you map the technical composition of your cloud to your compliance posture? And how do you streamline your compliance endeavors across a complex multicloud implementation?
That's where third-party compliance tools can help.
They're designed to continuously monitor and benchmark your cloud deployments against a wide range of compliance frameworks. For example, they should be able to check whether you have appropriate network security controls in place to protect payment cardholder data—in line with Requirement 1 of PCI DSS. They should also assess the security posture of complex cloud-based deployments, such as containerized workloads, as necessary to help meet the latest requirements of technical frameworks such as the CIS Controls. However, these are just two of literally hundreds of built-in checks that come as part of a highly developed continuous compliance platform.
However, benchmarking isn't the only feature you should look for in a cloud compliance solution.
In addition, it should offer a way to build custom frameworks so you can comply with your own internal requirements or those of other organizations in the software supply chain.
It should also integrate with messaging and ticketing platforms to automatically route issues to the right teams. And it should provide automated remediation capabilities so you can quickly and efficiently fix common and persistent misconfigurations.
Finally, it should provide a full range of assessment reports—from detailed granular information to high-level executive overviews. That way, everyone in your organization will have the insights they need to keep track of your compliance posture.
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
