This post on cloud compliance is the third in a series of articles examining the vulnerabilities created by cloud computing’s shared responsibility model and the best practices companies can employ to address this exposure. The first article examined the shared responsibility model and highlighted the work that has been done by the Software Engineering Institute (SEI) at Carnegie Melon University in establishing a baseline set of cloud security best practices that SMBs should follow as they migrate to the cloud and stressed the important role that cloud backup plays in mitigating these vulnerabilities.
SEI encourages SMBs to build on this foundation of best practices by incorporating best practices developed by other sources including Cloud Service Providers (CSPs), trade associations such as the Cloud Security Association (CSA), and regulatory compliance requirements. The second article in the series surveyed the best practices advanced by the top three CSPs (Microsoft Azure, Amazon Web Services, and Google Cloud Platform) and the CSA.
This third post examines the remaining SEI-recommended source of cloud deployment best practices: regulatory compliance requirements. These compliance requirements generally fall into three categories: laws, governmental regulations, and standards established by non-governmental organizations that facilitate regulatory compliance. Among the most prominent of these are HIPAA, PCI, SOC, ISO, CIS, NIST, FedRAMP, and GDPR.
Because CSPs advertise the fact that the cloud services they offer comply with these regulatory requirements, consumers can mistakenly believe that this compliance covers the consumers’ responsibilities as well. This perception can lead to a relaxation in the consumers’ approach to compliance matters.
Ultimately, however, the consumer carries the responsibility for compliance, so the burden falls on the consumer to take the necessary precautions, including the following:
- Vet the claims that CSPs make about their compliance.
- Ensure that the CSP maintains its compliance on an ongoing basis.
- Use the CSP services in a compliant manner (controls and configurations).
- Monitor usage (audits).
This post consists of two sections. The first section provides an overview of the major cloud compliance programs listed above. The second examines the tools and resources that CSPs make available to enable consumers to assess their providers’ compliance posture and to use their services in a way that fulfills the consumers’ compliance responsibilities. The article also contains several samples of language used by CSPs to clarify the consumers’ cloud compliance responsibilities.
Compliance Laws, Regulations, and Standards
This section describes the major compliance programs that cloud service providers adhere to and govern consumer use of cloud services.
The Health Insurance Accountability and Portability Act of 1996 included provisions that called for the establishment of national standards for safeguarding personal health information (PHI). The law defines Covered Entities as organizations that provide treatment or collect health information, such as doctors’ offices, hospitals, health insurers, and other healthcare companies. It designates organizations that create, receive, maintain, transmit, or access PHI as Business Associates. Cloud service providers fall into the category of Business Associate.
As regulators have interpreted and implemented the law over the years, three major rules have emerged:
- The Security Rule – Requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of PHI.
- The Privacy Rule – Requires safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made without an individual’s authorization.
- The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement with any Business Associate. In the Business Agreements offered by cloud service providers, they make contractual assurances that they are operating their network in a compliant matter with respect to data safeguarding, reporting, and data access.
The Payment Card Industry Security Standards Council (PCI SSC) was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
The Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI subsequently released an information supplement to the Data Security Standard specifically addressing Cloud Computing Guidelines.
System and Organization Controls (SOC) for Service Organizations are internal control reports covering security, availability, processing integrity, confidentiality, or privacy developed by the American Institute of Certified Public Accountants (AICPA). Using this reporting mechanism, CPAs examine services provided by a service organization, such as a cloud service provider, so that end users can assess and address the risks associated with an outsourced service. A SOC audit can only be performed by an independent CPA or accountancy organization. SOC auditors are regulated by and adhere to the professional standards established by the AICPA.
There are multiple SOC report formats. The most relevant one for cloud computing is the SOC 2 report. A SOC 2 report contains the auditor’s assessment of the provider’s controls and offers an opinion on whether or not the controls are designed appropriately and are functioning effectively. A SOC 3 report provides the same analysis, but removes some information that might be considered proprietary or confidential, which allows the SOC 3 report to be distributed more widely.
The International Standards Organization is an independent, non-governmental international organization with a membership of 165 national standards bodies. Its members develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges.
ISO 27001 is a widely used information security standard produced by ISO. It enables organizations that deal with sensitive information to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. The foundation of ISO 27001 is the concept of an information security management system (ISMS). An ISMS provides a set of policies and procedures for systematically managing an organization’s sensitive data and assets. Companies can obtain third-party certification that they are in compliance with ISO 27001.
The Center for Internet Security is an independent, non-profit organization that publishes CIS Controls and CIS Benchmarks, which are developed and maintained by a consortium of companies, government agencies, institutions, and individuals from every part of the ecosystem. CIS operates with a consensus-based process comprised of cybersecurity professionals and subject matter experts around the world.
CIS Controls is a short list of high priority actions an organization can take to defend against the most pervasive cybersecurity attacks. These controls are mapped to multiple legal, regulatory, and policy frameworks and provide users with a methodology for implementing these frameworks.
CIS Benchmarks are best practices for securely configuring a target system for hardening specific operating systems, middleware, software applications, and network devices. The benchmarks consist of more than 100 configuration guidelines across 25+ vendor product families. The CIS Benchmarks are free to download.
The National Institute of Standards and Technology is part of the United States Department of Commerce and is charged with promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. The organization has developed the Cybersecurity Framework (CSF), a voluntary set of standards, guidelines, and practices to manage and reduce cybersecurity risk.
In addition to the CSF, NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management. Among the most widely used NIST publications is NIST 800-53, Security and Privacy Controls for Information Systems and Organizations. This set of controls is intended to help organizations meet the requirements of the Federal Information Security Modernization Act (FISMA), which is mandatory for federal agencies and organizations that are part of their supply chain, such as defense contractors.
NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, helps systems and organizations that are not a part of the federal government protect their sensitive information. Compliance is required for entities doing business with the U.S. Department of Defense (DoD).
The Federal Risk and Authorization Management Program (FedRAMP) is administered by the U.S. General Services Administration (GSA) and was launched in 2011 to facilitate the migration of federal agency networks to the cloud. Based on NIST 800-53, the program standardized the process for the security assessment, authorization, and monitoring of cloud services to reduce the number of redundant security assessments occurring across the federal government and accelerate cloud adoption.
CSPs become authorized providers under FedRAMP through an independent third-party assessment organization that is accredited by the program, followed by a technical review by the FedRAMP Program Management Office.
The General Data Protection Regulation is a privacy and security law enacted by the European Union that came into effect in 2018. It requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. U.S. companies must comply with GDPR if they target EU residents with their marketing or process their data on a regular basis.
GDPR sets out a duty for all organizations to report certain types of data breaches which involve unauthorized access to or loss of personal data to the relevant supervisory authority. In some cases, organizations must also inform individuals affected by the breach. If you have a data breach, you have 72 hours to tell the data subjects or face penalties.
CSP Resources and Tools
This section contains descriptions of resources available to consumers to verify and track CSP compliance and tools for consumers to ensure that they are using the services in a compliant manner.
Verifying Azure Compliance
Azure’s compliance reporting is provided on Microsoft’s Service Trust Portal, which includes information about compliance with data protection standards and regulatory requirements. Microsoft’s list of compliance offerings provides a comprehensive repository of audit reports and certificates detailing how Azure services meet with national, regional, and industry-specific regulatory compliance standards.
Operating in the Azure Cloud in a Compliant Manner
Defender for Cloud is Microsoft’s security posture management and cloud workload threat protection tool and represents a combination of the previously named Azure Security Center and Azure Defender services.
Defender for Cloud delivers two cloud compliance management capabilities. The program provides visibility to your security situation by generating a “secure score” for your subscriptions based on an assessment of your connected resources compared with the guidance in Azure Security Benchmark. Your score against the benchmark appears in the Defender for Cloud compliance dashboard. Microsoft built the baseline standard by drawing on security principles from common compliance frameworks such as CIS and NIST.
When you’ve enabled the enhanced security features, you can measure and assess your cloud compliance against specific standards including the following:
- NIST 800-53
- NIST 800-171
- SWIFT CSP CSCF-v2020
- Azure CIS 1.3.0
- CMMC Level 3
Defender for Cloud also offers configuration hardening recommendations based on any identified security misconfigurations and weaknesses. These security recommendations can be used to strengthen the security posture of your organization’s Azure, hybrid, and multi-cloud resources.
A representative example follows of the language Microsoft uses to educate consumers on their role in compliance. In this case, it is offered in the case of HIPAA compliance: “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Azure aligns with HIPAA and the HITECH Act. Microsoft does not inspect, approve, or monitor your applications deployed on Azure. You are wholly responsible for ensuring your own compliance with applicable laws and regulations.”
Amazon Web Services
Verifying AWS Compliance
AWS Artifact is a central resource providing on-demand access to AWS’ security and compliance reports and agreements. Reports available in AWS Artifact include SOC and PCI reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the HIPAA Business Associate Agreement.
Operating in the AWS Cloud in a Compliant Manner
AWS Audit Manager allows consumers to continually audit their usage to simplify compliance with regulations and industry standards. Audit Manager automates evidence collection to allow assessments of whether your controls (policies, procedures, and activities) are operating effectively. Using Audit Manager, consumers can build audit-ready reports with less manual effort for stakeholder reviews of controls.
AWS Audit Manager includes prebuilt control mappings for common cloud compliance standards and regulations and offers the ability to create your own framework custom controls based on your specific requirements for internal audits. The pre-built mappings include:
- NIST Cybersecurity Framework
- NIST 800-53
- NIST SP 800-171
- PCI DSS
- SOC 2
AWS describes the role of Audit Manager as assisting the consumer in preparing evidence for audits as follows: “Although AWS is not providing legal or compliance advice, we help you save thousands of hours needed in manually producing and collecting audit evidence and allows you to focus more on risk remediation and audit planning.”
Google Cloud Platform
Verifying Google Cloud Compliance
The Google Compliance Resource Center houses the company’s third-party audits and certifications, documentation, and legal commitments to support consumer compliance. Materials found there include:
- Google Cloud certifications and the compliance standards the company satisfies
- General information about regional and sector-specific regulations
- Documentation to aid your own reporting and compliance efforts
- The latest industry news and best practices updates
Operating in Google Cloud in a Compliant Manner
Google Cloud’s security and risk management platform is located at the Google Security Command Center. The center allows security professionals to:
- Gain centralized visibility and control of resources deployed.
- Discover misconfigurations and vulnerabilities.
- Report on and maintain compliance.
- Detect threats targeting Google Cloud assets.
- Mitigate and remediate risks.
There are two Security Command Center tiers: Standard and Premium. The Security Command Center Standard tier is free of charge. The main component of the Standard tier is Security Health Analytics, which provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets.
The Premium tier pricing is based on your annual spend rate and includes the baseline Security Health Analytics capabilities and adds monitoring and reporting for the following standards:
- CIS 1.1
- PCI DSS
- NIST 800-53
- ISO 27001
From a broader perspective, Google also cautions the consumer that the use of compliance reporting does not substitute for customer audits: “This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.”
SMBs have the opportunity to improve the security of their cloud usage by adding regulatory compliance best practices to their cloud migration planning and implementations and shoulder the responsibility for their compliance needs. Taking advantage of the resources and tools made available by CSPs to control, configure, and audit cloud usage offers a structured method for improving your security posture. Supporting these cloud compliance best practice activities with the latest in backup technologies is another reliable way to improve your security posture, whether you are operating in the cloud or in a private network environment.
Earlier posts in this series: