(The cloud poses a host of data compliance challenges, including lack of visibility, confusion over whose responsibility it is to protect data, and the lack of an ideal standard compliance architecture. What’s needed is cloud compliance tools and a platform for security and compliance.)
The cloud allows organizations to abstract core parts of their businesses, which has given birth to more flexible and easily managed ‘hosted’ offerings such as SaaS, IaaS, PaaS. But being in the cloud also can complicate enterprise data security and privacy enforcement and control.
Compliance Challenges: PCI-DSS, HIPAA, NIST, FISMA and more
Let’s start with PCI-DSS requirements that protect credit card information and personal-identity data. All organizations that accept credit cards over the public internet and in the cloud must abide by PCI-DSS security and other standards – vendors, online retailers, security brokers, payment card companies, etc. PCI requires protective measures such as use of firewalls, identity authentication, file integrity monitoring as well as governance through incident response and policy.
If you don’t comply with PCI-DSS you get fined, or lose membership privileges and even the ability to operate using credit cards. (See Figure 1.)
Figure 1. PCI-DSS Compliance Reporting, A Sample Data View
Next, as promised, is HIPAA, which impacts all organizations (providers, insurers, data clearinghouses) managing employee healthcare information, or the healthcare data of an outside party. Industry regulations like HIPAA protect healthcare information and a whole supply chain. The information includes medical records, personal information, credit, insurance and employment information, and any information that helps to identify an individual. A common challenge in HIPAA compliance is its governance by manual processes and human time constraints – i.e., just keeping up with the data flow and the data’s protection.
Other relevant compliance categories include:
- NIST. National Institute of Standards and Technology (NIST) generates requirement sets such as 800-171 for the federal supply chain.… Your security must be certified or you often don’t get a look for doing business with the government.
- FISMA. Federal Information Security Modernization Act (FISMA) emphasizes the importance of information security, and requires federal agencies to implement data security plans to protect sensitive information and manage risk.
- CMMC. CMMC, or Cyber Maturity Model Certification, is a U.S. Dept of Defense initiative to ensure that companies that support DoD contracts (the Defense Information Base, or DIB) are appropriately securing Federal contract information (FCI) DoD unclassified information (Controlled Unclassified Information, or CUI). CMMC compliance and what it is isn’ set in stone yet. But it pays to be prepared, even at the subcontractor level.
Had enough compliance? The real complications start with the cloud and ‘Whose Data Is it Anyway?’.
Complication 1: Whose Data Is It Anyway?
Because the cloud consists of service providers, service brokers, consumers, and more, compliance in the cloud is a shared responsibility. It’s shared among organizations and service providers, service brokers, customers, and auditors, across HIPAA, PCI-DSS, FISMA, and other regulations and standards.
Security and compliance in the cloud by committee? So, you’re not alone, and there’s a model to follow called Shared Responsibility for Cloud Security in the Cloud, or the Cloud Shared Responsibility Model, but it’s still tough due to visibility challenges, ownership quandaries, jurisdictional challenges, and the need for APIs and the ability to work with other systems. Data architectures are all different, there are overlapping responsibilities, gaps in compliance coverage. It’s a complicated mess and guidance is needed.
Regulators, laws and standards such as HIPAA, PCI-DSS, NIST, GDPR require governance of data by the owner, holder, hoster, provider, and into the data supply chain; they require an ability to make sure the employee, customer or patient data you manage does not get compromised. If it’s your data to protect by law, you can’t realistically blame the clouds, and are expected to comply or be subject to fines, penalties and injunctions.
Complication 2: No solid point of reference.
Reference Architectures for compliance are needed, but ideal ones are few and far between. The cloud has a strange shape to it, and it has yet to be amply cartographed. Often, an organization doesn’t know the whereabouts of all its data, and doesn’t know it has failed to be compliant until a breach occurs.
The cloud compliance landscape calls for organizations to be more proactive, start early (aka DevSecOps). Cloud product designers need to build security and privacy into all phases of development, all parts of the potential connective environment. This way security and privacy are less likely to be compromised through a design vulnerability like occurred with the SolarWinds Sunburst hack.
This brings us to the cybersecurity skills shortage.
Complication 3: Staff limitations
Compliance requires a lot of log file monitoring manually in the form of routine checks and audits. This can get compounded due to overlap between the standards and disparate reporting systems for each type of compliance. With your compliance work you want to welcome as much synergy between compliance standards as possible, and not have to be redundant in your efforts.
Get help through automation. Automation is key in logging, monitoring, alerting, and overall compliance of where the data goes, who it goes to, how it is used, and more.
Atomicorp for File Integrity Monitoring and Cloud Compliance Tools
Smart security and compliance starts with strong endpoint protection and extends to protection of cloud workloads. This kind of security takes versatility and Atomicorp agents can enable you to orchestrate security across not only your devices but your virtual machines including containers.
Atomicorp intrusion detection system and cloud workload protection platform provides a platform for compliance with:
- Automated file logging to reduce and complement your manual efforts.
- Intrusion detection and file integrity monitoring that help to protect your server and endpoint environment from misconfiguration and malice.
- Vulnerability scanning across devices, servers and virtual machines to detect threat risks and defend against lateral movement schemes.
- Security information and event management (SIEM) that integrates open-source Elasticsearch Logstash and Kibana (ELK) capabilities to help organizations to search, find, categorize, analyze, resolve and report on security incidents.
- A PCI-DSS, HIPAA, GDPR compliant platform, with the security controls you need for CMMC as well.
Learn more about the Atomicorp cloud security and compliance tools platform.
PCI-DSS requirements whitepaper
File integrity monitoring (FIM) whitepaper
Visit the Atomic OSSEC page.
Endpoint, SASE, and cloud workload protection whitepaper