If you run an online business or provide a service, you are responsible for keeping your critical data and apps safe in the cloud. With the ever-changing threat landscape, cloud security can be a challenging endeavor.
However, different industry-specific cloud compliance frameworks can provide a methodology for organizations to identify potential events and define procedures to prevent such occurrences.
When it comes to cloud information security, the sheer number of industry standards and control frameworks can be overwhelming at first, making it difficult to determine which ones apply to your business and where you should prioritize your efforts.
Said, any enterprise with sensitive data workloads should at the very least consider ISO-27001, SOC 2, and CIS AWS Foundations benchmarks as an excellent place to start.
Implementing these standards’ processes and controls will go a long way toward assuring data security. Take it a step further with ISO and SOC 2 certifications, which can boost your organization’s confidence and provide you a competitive advantage among security-conscious customers.
There are other clear business benefits of implementing these cloud security frameworks, such as preventing financial losses from a security breach, ensuring data privacy and integrity, regulatory compliance, and defining information processing roles and responsibilities.
You can find cloud security standards and control frameworks that your organization should consider in our article. It’s also worth noting that most of the standards we’ve discussed below deal with general information security, not specifically cloud information security. The list is by no means complete, and you should keep in mind that there may be alternative standards that are more relevant for your industry area.
The need for cloud compatibility starts the moment you start working on the cloud. Considering cloud security’s shared responsibility, we have listed the regulatory frameworks and standards related to cloud security that you should know.
Choosing the proper cloud security framework from the array of frameworks available requires an in-depth understanding of your business jurisdiction and business requirements. To facilitate selection, we have divided frameworks and standards that may be relevant to cloud security into three categories:
- Sector-Specific Regulations
- Security Centered Frameworks
- Cloud Well Architecture Frameworks
Industry-Specific Cloud Security Standards
At the top of an organization’s cloud compliance, the priority list should be the laws within its geographic jurisdiction and the industries in which they operate. Failure to comply with these laws can have serious consequences such as loss of reputation, high fines, and revocation of business licenses.
PCI DSS: Credit Card Payments
The PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for all retailers who accept credit or debit cards. PCI DSS is specific to organizations that process cardholder information.
PCI DSS provides basic technical and transactional requirements for protecting cardholder data. The PCI DSS standard aims to protect card users against credit card fraud and identity theft.
You can examine in detail in our “PCI DSS Requirements” article what merchants need to do to be compliant with PCI DSS.
If your organization stores and manages sensitive credit card information in the cloud, it’s your job to equip your IT team with specialized cloud expertise to design and maintain your cloud environment securely. If you don’t follow the PCI DSS Cloud Computing Guidelines, you risk losing your ability to process credit card payments.
To protect the health-related information of individuals, passed by the United States Congress, the Health Insurance Portability and Accountability Act (HIPAA) also includes sections directly related to information security.
HIPAA is a law that applies to businesses that handle medical data. In the context of information security, the HIPAA Security Rule (HSR) is the most appropriate. The HIPAA HSR establishes guidelines for safeguarding individuals’ electronic personal health information that a covered entity creates, receives, uses, or maintains.
HIPAA-regulated organizations need risk analyses and risk management strategies to mitigate threats to the confidentiality, integrity, and availability of the essential health data they manage.
Suppose your organization uses cloud-based services (SaaS, IaaS, PaaS) to manage and transmit health data. In that case, it is your job to ensure the service provider is HIPAA compliant and you have adopted best practices for managing your cloud configurations.
Australia: APRA Prudential Practice Guidelines CPG 234
The Australian Prudential Regulatory Authority’s (APRA) Prudential Practice Guidelines identify Information Security weaknesses within Australian FAs. They aim to help organizations in Australia be resilient to a variety of threats.
The CPG 234 operates on the assumption of zero trusts in emerging technologies such as cloud computing. As a cloud-based organization based in Australia, it is your responsibility to demonstrate that your compliance posture aligns with industry best practices.
European Union: GDPR
One of the most strict data privacy laws globally is the General Data Protection Regulation (GDPR). Its primary purpose is to safeguard the personal data of all individuals and businesses within the European Union (EU).
GDPR is the European Union’s data protection and privacy regulation. While this rule is exclusive to the European Union, you should consider it if you keep or process any personal data about EU citizens.
GDPR governs all organizations operating in the EU, processing data from EU citizens or residents, or providing goods and services to EU citizens or residents.
GDPR focuses on eight fundamental rights that individuals have over their personal data:
- Right of access: knowing what information is collected and how it is processed
- Right to be informed: Require the organization to be fully transparent about data processing.
- Right to rectification: Rectification of any incomplete or incorrect personal data
- Right to restrict processing: To prevent the processing of personal data
- Right to be forgotten: Erase personal data at any time for any reason
- Right to data portability: Transferring information from one service to another
- Right to object: object to data used for specific purposes, including marketing research
- Right to the notification: The right to be notified within 72 hours of any personal data breach
Noncompliance with GDPR can result in harsh penalties, including fines of up to €20 million or 4% of an organization’s annual worldwide revenue, whichever is greater.
Even with these fundamental rights in mind, your company must make special efforts to ensure that your clients’ data is stored in the cloud using proper methods and technologies.
Security Centric Frameworks
Security-focused frameworks are independent of legal and financial regulations but are robust guidelines your organization can use to meet regulatory requirements.
ISO-27001 / ISO-27002
The most well-known standard in information security and compliance is ISO 27001, developed by the International Organization for Standardization. The ISO 27001 standard was created to assist enterprises in protecting sensitive data by best practices.
Any organization with sensitive information can benefit from ISO 27001 implementation. ISO-27001 contains a specification for Information Security Management System (ISMS). ISO-27002 describes the controls that can be applied to comply with the ISO-27001 standard. Compliance with ISO-27001 shows your customers that your organization takes information security seriously and uses best-practice information security practices.
As an independent international standard, compliance with ISO27001 is internationally recognized and can be a strict requirement for companies to become approved third-party vendors. ISO 27001 includes end-to-end management of things from asset management and access control to cryptography and operational security in the cloud.
It is an extension of ISO-27001 that includes clauses specific to information security in a cloud context. Compliance with ISO-27017 should be considered in conjunction with ISO-27001.
The ISO-27018 standard addresses the security of personally identifiable information (PII) in public cloud environments. While this standard is specifically for public cloud providers such as AWS or Azure, PII controllers (e.g., a SaaS provider that processes customer PII on AWS) still have a level of responsibility. If you are a SaaS provider that processes Personally Identifiable Information, you should consider complying with this standard.
System and Organization Controls (SOC) Reporting
Service and Organization Audits 2 (SOC 2) refers to a type of audit of the administrative procedures of IT organizations providing any service. The SOC 2 reporting standard is an international standard for cybersecurity risk management systems.
The SOC 2 Audit Report demonstrates that your organization has policies, procedures, and controls in place to meet the five trust principles. The security principles found in the SOC 2 audit report are security, availability, processing integrity, confidentiality, and confidentiality. If you are a SaaS provider, your potential customers may ask you to demonstrate SOC 2 compliance.
Internal controls over financial reporting are addressed in a SOC 1 report, whereas controls over operations and compliance are addressed in a SOC 2 report.
SOC 2 is an audit technique that allows your service providers to safely manage your data to preserve your company’s interests and their customers’ privacy. SOC 2 compliance is a must-have for security-conscious firms when looking for a SaaS provider.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST is a federal agency in the United States that produces standards and metrics to improve competitiveness in the scientific and technological sectors.
The Cybersecurity Framework was created by the National Institute of Regulations and Technology (NIST) to meet US standards such as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA). NIST emphasizes categorizing assets based on their commercial value and safeguarding them properly.
Related NIST standards for the cloud include NIST Special Publication 800-53 — Federal Information Systems and Enterprise Security and Privacy Controls, and NIST 800-144 — Security and Privacy Guidelines in Public Cloud Computing. These publications detail the various security controls that organizations can use to secure their systems.
Internet Security Center (CIS) Controls are open-source, consensus-based guidelines that help organizations secure their systems. All checks go through a rigorous review process from various experts until they reach a consensus.
Every CIS audit falls into one of the following two categories:
- Level 1: Controls that help narrow an organization’s attack surface without sacrificing functionality
- Level 2: In-depth checks for organizations that require tighter security measures
You can refer to CIS Benchmarks adapted to specific cloud service providers to quickly reference a set of reviews for cloud security. For example, you can use the CIS-AWS controls, which are a set of controls designed specifically for Amazon Web Services workloads (AWS).
Security Trust And Risk Assurance (STAR) by the Cloud Security Alliance (CSA) is a complete program for cloud security assurance. With controls mapped to PCI DSS, ISO 27001, NIST, and ISACA COBIT, CSA STAR documents security and privacy controls from major cloud service providers.
By adhering to your cloud service provider’s STAR framework, your organization can validate its security posture and demonstrate secure cloud controls.
Cloud Well Architecture Frameworks
Today, major cloud service providers have self-published cloud best architecture frameworks, which are best practices that cover security, efficiency, and cost.
Amazon Web Services (AWS) Well Architecture Framework
Amazon Web Services (AWS) specific best-practice security controls. The AWS Well-Architected Framework provides AWS users with a guide to effectively design solutions in the cloud. It offers consistent benchmarking for architects and evaluators who can assist in evaluating cloud systems on AWS.
- Operational Excellence: Adding value to the business
- Security: Protect assets, systems, and information in the cloud
- Reliability: Surviving interruptions and meeting demand
- Performance Efficiency: Making the best use of resources as things change.
- Cost Optimization: Minimizing or eliminating unnecessary costs is referred to as cost optimization.
Google Cloud Architecture Framework
For organizations with workloads on Google Cloud Platform (GCP), Google has provided its counterpart, the Google Cloud Architecture Framework. They designed the framework to note down the parts of the framework that most suited their needs.
The Google Cloud Architecture Framework consists of four columns as follows:
- Monitoring, disaster recovery, and automation are all examples of operational excellence.
- Compliance, security, and privacy: A set of security controls is best suited for diverse use situations.
- Reliability: Recommendations on how to ensure high reliability and availability.
- Optimization of Performance and Cost: Recommendations on how to balance performance and cost.
Microsoft Azure Well Architecture Framework
If you are in the Microsoft Azure cloud, you can refer to the Azure Architecture Framework for guidance. The Azure Well Architecture Framework, like other architectural frameworks, is divided into several columns:
- Cost: Bringing the most value with the least cost
- DevOps: Making systems work in production environments
- Flexibility: gracefully recovering from failures.
- Scalability: Adapt to increasing or decreasing load changes.
- Security: Defending your data and applications against cyber-attacks.
While the number of standards and control frameworks relevant to cloud security may seem overwhelming at first glance, common themes emerge from most of the standards. Striving to fit in with one often goes a long way toward achieving compatibility with the other.
Once you have decided on the standards and control frameworks to follow, you must establish policy, procedures and implement supporting technical controls.