Table of Contents
Over the past couple of years organizations are rapidly adopting cloud computing to deliver IT and business services. Cloud computing brings a plethora of advantages to businesses such as agility, flexibility, scalability, quick adoption to changes in applications etc. but at the same time there are concerns around security of data hosted on cloud environments. Building secure cloud environments is just one aspect but ensuring compliance and adherence to regulations and laws requires consistent efforts to ensure data is safe. Governance on the other hand is needed to protect organizations.
Today we look more in detail about two commonly used terminologies related to cloud compliance and governance, what these two entails? its purpose and working.
What is Cloud Compliance?
Cloud compliance comprises policies and procedures which ensure that the cloud environment is secure and complies to regulation requirements, standards, and frameworks. These compliance standards are established by government agencies such as
- European Union General Data Protection Regulation (GDPR) or
- the California Privacy Rights Act (CPRA),
they could be industry specific standards such as
- Payment Card Industry Data Security Standard (PCI DSS),
- Health Insurance Portability and Accountability Act (HIPAA),
- Children’s Online Privacy Protection Act (COPPA) and
- the Sarbanes-Oxley Act (SOX).
Each organization’s compliance and governance requirements may vary which is determined by factors such as the nature of industry it operates in, jurisdictions in which businesses operate and so on. For example, Health Insurance Portability and Accountability Act (HIPAA) applied to life sciences, pharmaceuticals, insurance industries, and the General Data Protection Regulation (GDPR) applies to businesses that process data owned by or associated with EU residents.
Payment Card Industry Data Security Standard (PCI DSS) is applicable for the payment card industry. Each framework or standard has unique rule sets for how all requirements mandate data security. Organizations need to ensure that their data is properly secure during storage and during transit. And this requires use of encryption techniques and proper security measures.
What is Cloud Governance?
Cloud Governance is a set of rules and policies adopted by organizations which run services over cloud or use cloud computing services. The end objective of cloud governance is
- to enhance data security,
- manage risks, and
- establish a safe and secure environment for smooth running of business operations.
Cloud governance is meant to ensure that resources deployment, integration, data security, and other aspects of cloud computing are properly planned, considered, defined, and managed.
Cloud environments are complex and by implementing cloud governance organizations can take control of their cloud environments and its data with complete visibility in cloud operations. Cloud governance helps to optimize performance, lower down operational costs, and minimize security risks as cloud environments expand and become more complex over a period of time.
Cloud Compliance and Shared Responsibility Model
Compliance and governance both are a bit complicated when it comes to cloud models as compared to on-premises data centers. Cloud providers operate on a shared responsibility model. In this model cloud providers are responsible for management of some aspects of security such as physical resources – servers and storage security. They also need to undergo regular audits such as Security Operation controls (SOC2).
The logical security of resources such as access controls to cloud resources, storage buckets etc. is to be taken care of by the end user.
Cloud Compliance Working
To determine the compliance needs of your cloud largely depends on the kind of workloads being hosted in the cloud and compliance rules to be set up according to business requirements. Most cloud compliance workflows are broken down into below basic steps.
Compliance needs assessment – The very first step is to determine the compliance requirements depending on the kind of workloads hosted, are there any specific frameworks or standards organizations need to follow such as HIPAA, PCI DSS etc. Is sensitive data getting stored for EU residents then we need to look at GDPR.
Definition of compliance rules – How business will implement tools and practices to meet cloud compliance requirements , specific rules need to be defined to track how those requirements will be enforced. For example, a cloud compliance rule states that user data cant, be stored in plain text format then one has to establish encryption to ensure data is encrypted at REST.
Ongoing assessments with compliance audits – post defining compliance rules, we should perform audits to ensure rules are effective and working. Evaluation of cloud workload configurations is required to determine alignment to established rules.