Meeting cloud compliance standards and passing audits is the pain point every enterprise has, but no one wants. Compliance frameworks do right by your enterprise, up-keeping the highest security hygiene, but also by your customers and their privacy. However, passing audits grows increasingly hard as enterprise moves to the cloud. The cloud’s expansive and ephemeral nature, scale of resources, configurations, environments, accounts, and proliferation of identities and their permissions, lends itself to increased complexity.
For the full story and ‘how-to’ regarding managing compliance, see our guide, ‘How to Master Your Cloud Identity Audit and Meet Compliance with Zero Stress.’
Below, we’ll review some of the most common cloud compliance regulations you should know.
General Data Protection Regulation (GDPR)
Passed in 2018, this framework revolutionized data protection for citizens to accommodate the increase in personal information spread online. GDPR is regulated by the European Union designed to protect its citizens from personal data compromise. Personal data refers to any data that can be connected back to the identity of an individual. All businesses processing data linked to EU citizens, either manually or through automated mechanisms, must comply with the GDPR. Individuals, organizations and businesses are either ‘controllers’ or ‘processors’. According to the UK’s Information Commissioner’s Office, “Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data,” while “Processors act on behalf of, and only on the instructions of, the relevant controller.” GDPR can apply to businesses outside of the EU if the business works within Europe or is a controller of European citizens. GDPR is today’s strictest regulation regarding data privacy.
Health Insurance Portability and Accountability Act (HIPAA)
Passed in 1996, this privacy rule protects the personal information and medical records of individuals in the healthcare system. Additionally, the act allows individuals the right to access their personal information and request corrections. Covered entities, those who need to comply with the act, include all healthcare providers and healthcare plans.
HIPAA includes a security specific note – “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” HIPAA is today’s strictest medical personal privacy act.
ISO 270002 – International Organization for Standardization (ISO)
Ongoing regulations dedicated to information security protection. It enforces information security controls for organizations of all types and sizes that create, collect, process, store, and dispose of information. ISO protects the value of information including knowledge, concepts, ideas and brands that can face risk sources intentionally or not. ISO suggests, “Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures and software and hardware functions. To meet its specific security and business objectives, the organization should define, implement, monitor, review and improve these controls where necessary.”
The 2013 publication of ISO 27002 contains 114 controls including controls for: structure, security policies, IT asset management, access control, operations security, security incident management, compliance and more. Overall, the benchmark intends to uphold information protection hygiene.
NIST 800-53 (National Institute of Standards and Technology)
A framework released by NIST to provide a structure of guiding elements, strategies, systems, and controls, to support any organization’s cybersecurity needs and priorities. It intends to standardize cybersecurity protection so organizations have common language. All federal agencies, information systems and relevant government contractors must comply with the framework. The framework is broken up according to potential risk impact – low, medium, and high – and within each section controls are outlined for several categories including: access control; awareness and training; audits; configuration management; incident response; media protection; risk assessment, and more.
NIST states the publication’s intention is to provide “a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”
Center for Internet Security (CIS) Foundations Frameworks
A group of globally recognized and consensus-driven best practices designed for security practitioners to implement and manage cybersecurity defenses. They are ongoingly developed by a global community of security experts, to proactively safeguard against evolving risks. Companies implement the CIS Benchmark guidelines to limit configuration-based security vulnerabilities in their digital assets. CIS Benchmarks align with security and data protection regulations like the NIST framework and GDPR. There are benchmarks for a range of systems: operating systems; cloud infrastructure, desktop software, mobile devices, network devices, and more.
Payment Card Industry Data Security Standard (PCI DSS)
Launched in 2006 by four major credit card companies – Visa, MasterCard, Discover and American Express – this standard includes a set of best practices and policies to secure credit, debit and cash transactions and protect the best interest of cardholders. The PCI DSS applies to any organization that accepts, transmits, or stores any cardholder data, however, there are different vendor levels dependent on the number of transactions managed. There are six main objectives included in the standard:
- Maintain a secure network for transactions to be conducted.
- Cardholder information must be protected at all times.
- Systems must be protected against malicious activity
- Information access must be controlled and limited.
- Networks should be monitored and tested regularly.
- Involved parties must define a formal security procedure.
CSA Cloud Controls Matrix
One of the more modern frameworks, the CCM is a cybersecurity framework for cloud computing containing 197 control objectives across all aspects of cloud technology. It serves as the de-facto standard for cloud security assurance and compliance, and helps organizations realize their requirements and define their security programs. The Matrix includes insight into which security controls to use for which practitioners and offers a systematic assessment of cloud implementation. Controls addressed involve: audit and assurance; app security; business continuity; data center security; governance; IAM; threat and vulnerability management; and more. It is aligned with other industry-accepted security standards and regulations like NIST and ISO 27002.
In cooperation with HIPAA and concurrently addressing some ambiguity in HIPAA, The Health Information Trust Alliance (established in 2007) is a framework including 14 control measures necessary to safeguarding private healthcare information. It provides an integrated security approach as well as a way to demonstrate compliance with HIPAA security requirements via a third-party assessor matrix. Vendors can become HITRUST certified meaning, they are in compliance with HIPAA and take a risk-based approach to protecting private healthcare information. HITRUST takes a security-focused approach, whereas HIPAA is law-focused.
Struggling to structure your cloud environment in a way that keeps you compliant and proactively prepares for audits? Explore our guide, “How to Master Your Cloud Identity Audit and Meet Compliance with Zero Stress.’