Anyone reading this post will have at least dipped their toes into the world of cloud services. As a result of this massive growth, the world of compliance has spent much of the last decade catching up with the implications of cloud services. For hosted infrastructure, “catching up” presents an interesting set of challenges since cloud managed environments are often more rapidly updated and might only offer limited options for managing their security surface area. But that doesn’t mean organisations can claim they are safe just because their data is held/managed by a reputable cloud services provider. Fortunately, most of the security world is well aware of this and most compliance policy providers correspondingly have stepped up to help secure cloud workloads.
Compliance Organisations and Standards for the Cloud
For those who are just getting started or thinking about maturing their security posture it might be unclear what the exact compliance requirements are to harden their environments as they move to the cloud, the reality is that most of the organisations from the traditional IT world of compliance have extended their coverage to consider what secure looks like in the age of cloud computing including:
COBIT
“COBIT is the acronym for Control Objectives for Information and Related Technologies. The COBIT framework was created by ISACA (the Information Systems Audit and Control Association - an international professional association focused on IT governance) to bridge the crucial gap between technical issues, business risks and control requirements”
FedRAMP
“The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
NESA
The National Electronic Security Authority (NESA) — the federal authority for United Arab Emirates (UAE) that’s charged with strengthening the nation’s cybersecurity measures — is making greater strides to protect critical sectors against cyberattacks.
NIST sp800-171/sp800-53
- NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts.
PCI DSS
“The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.”
SOX
“Part of the SOX internal controls includes a company’s IT procedures including things such as who has access to what data, where and how is the data stored, how is data integrity maintained, etc.” Many of these names will already be familiar to those who have sought to pass a compliance audit for on-premise infrastructure – so it’s perhaps not surprising that many of these policy organizations offer coverage for cloud first Operating Systems such as Amazon Linux – a key component in AWS server environments. Similar coverage for Microsoft and their ever-popular Window Server Operating Systems are also covered by almost every policy provider.
Compliance – Getting Started on the Journey
So what is there to consider once you’ve identified what your compliance goals are and you’ve expanded into the cloud? The first important consideration is that whilst many cloud vendors will support a number of security controls and best practice settings out-of-the-box that will help protect you, most compliance policies will suggest stricter than “default” regimes to ensure that your data is kept safer still and keep you on the right side of the law.
Getting started with policy compliance need not be difficult though and getting those hardened configurations in place might take less time than you might first think. Automated tools to assess and even guide you on how to resolve areas of your configuration that are non-compliant are widely available and can give you a significant head-start in comparison to manual compliance checks on individual machines, especially as your cloud workload grows.
Compliance – Regulation and Risk
Whilst compliance for many might feel like a chore, but, in reality, it should be right at the top of your security checklists for two major reasons.
First of all, regulation will often mandate particular levels of compliance to show that you are doing right and it’s these compliance standards that regulation will often lean upon to demonstrate your engagement with security best practices. But the second reason might be the more important one in today’s cloud environments - being caught out by an audit or a breach can seriously hurt your firm financially as well as trust in your organisation. An always on, cloud powered solution does not change the need for compliance, and it is highly likely that the controls you’ve seen before with traditional infrastructure will remain every bit as or, perhaps even more, important. As result, there really is no excuse to skirt compliance requirements. Ultimately, assessing and working to improve your compliance with the relevant standard is a key step towards a good security foundation – and one we should all be catching up to in the era of cloud computing.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.