5 Cloud Security and Compliance Checklists for MSPs
If you provide cloud managed services for your customers, then compliance shouldn’t only be on your clients’ minds. Ensuring a cloud environment that aligns to regulatory standards is critical for stakeholders in their organizations — and your own.
Each year, there are new regulations to follow and old regulations that still require compliance. Whether this is a customer’s first audit or tenth, there is always room to improve. As their service provider, you can help the customer ensure that their cloud environment remains secure, compliant, and audit-ready at all times.
Develop Your Cloud Security and Compliance Checklists
Auditors ensure that information is properly safeguarded, so that customers don’t face penalties for non-compliance. They are there to verify that this data is not exposed to data theft or other cybersecurity risks. Your role as service provider is to help stakeholders view the audit not as a punishment but an opportunity to demonstrate the value of the cloud in their business operations.
When it comes to security and compliance in the cloud, the technology you have in place can be a valuable resource for your clients. Some audits, like HIPAA, expect to see you continually improving your security posture each year. Having a cloud management tool in place like CloudCheckr CMx will give you a “scoreboard” for your customers’ compliance across many regulatory standards. This scoreboard should help your customers show their auditors that they are continuously working to improve the security and compliance posture of their environment. Moreover, since several regulations overlap in audit requirements, you can use these dashboards and reports to help you perform each audit without needing to duplicate work.
You might find that your customers feel unprepared, like they don’t know what to do, when it comes time for a new audit. As their service provider, you can help them develop a robust cloud security and compliance strategy. Here are five cloud security and compliance checklists you can use to help your customers keep track of evidence, harden their environments, retain crucial logs and records, protect sensitive data, and review access:
Have Evidence Available for All Artifacts
In preparation for the audit, your customers will need a controlled, easy-to-access place to manage artifacts. There are many tools on the market. Pick one and organize artifacts by the request ID. For instance, if “Verify HTTPS is used on Web Servers” is HIPAA SEC1.0.5, then your document or screenshots pertaining to that request should be named HIPAA SEC1.0.5-NGINXConfig or HIPAA SEC105_Findings.
All stakeholders involved should make it easy for auditors to validate their compliance without having to hunt for answers. If the auditors are unsuccessful in finding proof, they may just mark the item unresolved. Have your customers build an accountability spreadsheet to track who owns the artifact, where it is located, when it was last updated, when it was delivered to the auditor, etc. Once they’ve received the list of requests from auditors, it will become difficult to track if they haven’t methodically accounted for all actions.
Keep track of artifacts and prepare to reuse them. Auditors may request them again later.
Store documentation in a place that leverages access control and revisions.
Develop a naming convention for evidence based on the control/request/article, etc. Make it easy for stakeholders and the auditor to match up compliance.
Get as much data as possible to the auditor before they begin. It will impress them and set the precedent that security and compliance are high priorities!
Use a progress tracking sheet, or a “legend,” for the audit. Don’t rely on emails and status reports to track progress. Don’t expect the auditors to do it for the customer! It is their job to verify the data, but it is the job of you and your stakeholders to get it to them.
Ensure that customers have detailed archiving in place, ideally several years back, to ensure that they can stay audit-ready in the future.
Harden the Cloud Environment to Rigorous Standards
Now let’s dig in deeper. The real trick to technical compliance is automation and predictable architecture. Without them, you’d have to verify technical controls each time.
Here are a few best practices your clients should follow to ensure that their environments are hardened against rigorous security and compliance standards:
Install all security patches and have an easy way to show patches installed.
Scan your servers and cloud for vulnerabilities (at least quarterly).
Remediate vulnerabilities within a reasonable timeframe in an automated way, e.g., criticals within 96 hours, highs within two weeks, mediums within 60 days, lows within 90 days, and use Puppet or the configuration management tool of choice. Unresolved criticals and highs will set off big alarms with the auditors.
Bake hardening and patches into images. When servers come up, they should be security- and compliance-“ready.”
Build integration testing into your security if you don’t already have it, lest your regression testing be painful.
Allow least privileges on ports in firewalls, network ACLs, security groups, iptables/firewalld, Windows Advanced Firewalls, and the like. Use Infrastructure as Code if and whenever possible.
Use industry guides to help you harden.
Don’t shoot for 100 percent up front but make reasonable progress. This is what auditors expect to see.
Use tools to help you scan and harden.
Keep a compliance dashboard.
CloudCheckr Security and Compliance in Action
Eplexity uses CloudCheckr to remediate vulnerabilities in customers’ cloud platforms and build secure, Well-Architected AWS environments.
Auditors want proof. Screenshots suffice for some things, but most often it is the logs that provide evidence. Auditors want to see that the appropriate logs are being shipped and archived, that they are protected, and that they are maintained for the required time (which varies by control). Each control will specify the minimum; always check the documentation.
Most importantly, when an application touches sensitive data, such as PII, ePHI, or PHI, ensure that access is logged. Wherever customers store sensitive data, ensure that it is accredited for the control. For example, if you are placing ePHI in Amazon S3, ensure that Amazon S3 is certified for HIPAA (it is).
Use Rsyslog, Windows Event Log Forwarding, third-party tool, etc. for log shipping, and use a method to ship logs securely for analysis, storage, and archiving.
Retain logs for minimum control requirements (often one to seven years).
Ensure that storage of logs with sensitive data is encrypted (this includes backups!).
Ensure that access to sensitive data is logged.
Protect Sensitive Data Through Encryption
Make sure that all mechanisms that retrieve sensitive data are using encryption. Better yet, encrypt everywhere. Don’t leave a control or system to chance by not configuring encryption. Customers that are handling sensitive data are subject to a control such as SOC or HIPAA. If they aren’t using encryption at rest/in transit for the entire control of that data, it will be a finding in their audit. Such a finding is bad, but it is even worse if an attacker was able to obtain the data or it was accidentally exposed, which would be a reportable offense. If the data is multi-tenancy (i.e., your client’s customers share it), this would be reportable to all the customers.
Use hardware encryption for encryption at rest. This will reduce the impact on performance. Cycle the key at least annually. If hardware encryption isn’t available, encrypt disks with software (and expect a performance hit).
For encryption in transit, ensure that HTTPS or SSL is used with medium-strength ciphers at a minimum (over 128 bits) and strong hashes. Only terminate encryption at the point of processing.
Safeguard all private keys for certificates and public keys.
Encrypt data in databases if you can handle the performance loss. It’s an extra layer of protection.
Encrypt backups with AES-256 or stronger encryption.
Encrypt stored files (think S3) with AES-256 or stronger encryption.
Use VPN tunnels with at least AES-256 or stronger encryption.
Every audit will have elements of access review. If the customer’s business manages sensitive data, the auditors will be really focused on access to that data. There should be a ticketing and authorization process to provision access to any system that touches sensitive data. That list of users and privileged users should be reviewed quarterly for every system.
If the customer has a system to provision access to customer credit card data (think PCI), an auditor is going to expect to see how the access was requested, who authorized it, when it was authorized, when it was reviewed, and if it was revoked when the employee no longer needed it. Whether the system is automated (better), or completely manual (still okay in most cases), the auditor will expect to see this. If your environment isn’t heavily federated, the sprawl of disparate systems and controls can become overwhelming. In these cases, it’s best to use an application owner for each system who reviews access quarterly. Don’t let the sprawl turn into accidental access, or worse, unauthorized access.
Assign application owners and audit quarterly.
Build automation to provision and revoke access.
Strictly track and control access to sensitive data (and be able to show it).
Why Help Your Customers Ensure Compliance?
The auditors are going to show up. The better prepared you and your clients are, the smoother the audit will be. The auditor’s job is to ensure that your clients are safeguarding their customers’ information. They are there to catch vulnerabilities before an attacker does, so treat them as part of your customer’s safeguarding team.
Cloud compliance is always tightening, and new and updated regulations will routinely bring additional challenges to organizations. Get ahead of your customers’ security demands by improving your security and compliance audit strategy. This will please the auditors and ensure that your services are a must-have (not a nice-to-have) for your customers.
Bring Security, Compliance, and More Managed Cloud Services to Your Customers
Differentiate and grow your business with cloud management. With the right cloud services, you can meet each and every customer where they are.