Taking an All-Of-The-Above Approach to Public Cloud Compliance

Demystifying Public Cloud Compliance

The word compliance strikes fear into many readers. Are we in compliance? Can we prove it? Are we trying to be compliant with the right regulations? What happens if we fall out of compliance? Can we afford to invest in compliance? Can we afford not to?

Public cloud compliance doesn’t have to be a scary thing. It’s really about safety in numbers. Compliance is just a set of best practices developed by the many organizations and experts over the years. They made the mistakes so you don’t have to. Sure, many regulations pre-date cloud computing, but they still apply. Adopting the cloud doesn’t have to make compliance harder and in many ways it makes compliance easier. Your cloud provider, be it Amazon Web Services, Microsoft Azure, or Google Cloud, is responsible for the compliance of their part of the equation. That means they address physical security, data center access, networking infrastructure, and at least for managed instances, operating systems and patches. As a cloud user, you are responsible for less, but still a significant amount.

This is called the Shared Responsibility Model, where the provider is responsible for security OF the cloud and the customer is responsible for security IN the cloud.

The good news is that, when it comes to compliance, the cloud vendors are all rock solid.

There are dozens of security standards and regulations that address compliance, and some overlap but others are focused on unique requirements. For example, PCI-DSS (Payment Card Industry Data Security Standard) is focused on credit card and financial data. HIPAA (Health Insurance Portability and Accountability Act) naturally deals with private healthcare information. Individual countries and even some U.S. states have their own regulations. For an exhaustive list of compliance standards, particularly those used in the cloud, please see CloudCheckr’s list of Total Compliance Standards and Regulations in our Success Center.

So how do you choose the compliance standard that you should follow in the public cloud? Some are obvious. For example, if you are a hospital, you need to align with HIPAA. If you are an e-commerce retailer, you need to follow PCI-DSS. But what if you are a university-affiliated hospital? Again, HIPAA is a must, but you probably also take credit cards, so PCI-DSS is required. But that’s not all. A university likely deals with federal student loan information, so that might require DFARS compliance (NIST 800-171) as well. If you had settled for just targeting compliance with HIPAA, or even HIPAA and PCI-DSS, yet had a violation of student privacy, you could be in trouble.

You don’t want to be surprised, especially if there is a security breach, that your public cloud environment is not in compliance with the right standard or standards. You also want to be able to prove that you were indeed compliant with a standard, on a specific date, should you ever get audited. This could mitigate against serious fines.

Fortunately, there is a cloud compliance tool, called CloudCheckr CMx, that not only scores your cloud infrastructure according to the big compliance standards out there, but also several that are specific to countries, states, and industries. You can pick your favorites and see a plot over time, showing your progress towards 100% compliance with the standards that matter to you. Any misconfigurations are highlighted, along with remediation steps. A good number of CloudCheckr’s 600+ Best Practice Checks support Self-Healing Automation for one-click or even zero-click correction.

Should you find yourself audited, you can leverage CloudCheckr’s SnapBack™ capabilities. Just select a date from as long as seven years ago to see your state of compliance at that point in time. Those reports are read-only so you can confidently demonstrate your due diligence.

Some cloud providers offer the ability to check your configuration according to a handful of compliance standards. But they often charge per standard, and per resource checked, per month. That can get out of hand, quickly, and discourage checking multiple standards.

Why pick one or two compliance standards to monitor when CloudCheckr’s Total Compliance checks 35, at no extra cost?

Ready to make CloudCheckr part of your compliance strategy?

See how Devada uses CloudCheckr to build out its operational maturity, compliance, and automation capabilities. Read the case study now