Milou Lammers, Director of Compliance at iland, examines the current cloud regulation landscape and lays out her advice for cloud customers looking to maintain compliance.
Compliance is becoming an ever more complex issue for organizations. As businesses engage in more remote and digital work practices due to COVID-19, governments globally are implementing a growing number of data privacy regulations for organizations to abide by. The reason for this is valid: with the industrialization of hacking and the enormous impact of security breaches, governments had little choice but to add to the number of regulations, standards, and legislation they currently enforce in a bid to not only curtail the adversaries attempting to hijack sensitive information, but also to prevent data leakage via other, less malicious avenues. With legislators in over 29 states in the US putting data privacy on the agenda in legislative sessions in 2021, the prevalence of the GDPR in Europe, and now a new data privacy law set to take effect in China from the 1st of November, it has never been more challenging for organizations to stay compliant. The question is however, where is all of the information security regulation?
We need to focus on information security
While data privacy concerns are taking the forefront in legislation, there is very little movement on regulation regarding how companies protect customer data. Regulators are penalizing companies for large data breaches and imposing mind-numbing fines, such as fines up to €20 million or 4% of total global turnover for non-compliance with the GDPR, however these regulations only require companies to implement “appropriate technical and organizational measures” to protect customer data, they do not instruct companies how to protect that data.
Since there are very few information security-specific regulations and little guidance from government regulators on security measures to put in place, independent certification bodies have stepped up to help organizations prove that they are compliant. Cloud providers often rely on external third-party auditors to conduct service level audits on information security and data privacy-specific controls to ensure that the company has enough measures to protect customer data stored in their cloud.
Whether a business is just starting out with cloud technologies or is already heavily invested in the cloud, these audits and certifications help customers have the assurance that their data is protected in a compliance-certified environment.
Security Documentation to Ask For
There has been a large increase in the volume of information security audits and certifications offered around the world. Individual industries have developed unique, comprehensive standards alongside government regulators in industries such as banking, healthcare, and manufacturing. Other global certification bodies, such as the International Organization for Standardization (ISO) have combined laws and standards from multiple countries into one best-practice certification. For example, the ISO/IEC 27701:2019 Security Techniques (ISO 27701) certification combines some of the strictest data privacy standards in the world, like the GDPR, CCPA, and Australian data privacy laws into one standard that companies can be audited against collectively to evidence compliance with these standards. Some of the most common security standards and audit certifications to ask CSPs for today include an ISO 27001 certification and a SOC 2 report for US cloud providers.
ISO 27001 Report
The ISO/IEC 27001: Information Security Management (ISO 27001) standard is an audit framework that provides a roadmap to organizations on how to manage information security. It can be viewed as one of the tools that CSPs rely on to evidence that they have implemented “appropriate technical and organizational measures” to protect customer data in the cloud.
SOC 2 Report
Additionally, US providers rely upon the AICPA’s SOC 2 Trust Services Criteria to evidence the security, availability, and processing integrity controls they have put in place to protect customer data in their systems and the confidentiality and privacy of the information processed by those systems. A SOC 2 Report also includes a detailed summary of the evidence reviewed and the security controls such as access control and physical security the organization has put in place to better secure customer data.
The range, variety, and changing nature of compliance rules may be difficult to understand and interpret for an organization, and as a result many will lean on the experience and expertise of a cloud services provider. So, how should business leaders ensure they are compliant when not all resources are on their premises and within their physical control?
Top Tips to Ensure Compliance in the Cloud
1. Review your CSPs Compliance Documentation
Review the compliance documentation your CSP makes available to customers and ensure that it applies to your industry and the security concerns your organization faces. Depending on your industry, there may be other more relevant audit certifications you may want your CSP to have. Such as HITRUST or HIPAA audit certifications for U.S. healthcare companies, Cyber Essentials for UK businesses, or government-specific regulations for defense contractors such as CMMC in the U.S. or IRAP in Australia.
2. Understand Access Control
A large portion of regulatory IT compliance stems from ensuring proper controls are in place over who has access to what data in the system. During a compliance audit, you must be able to prove the level of access that each user has and how those various levels are maintained. Your CSP must be able to provide you with documentation outlining how they implement separation of duties for administrative functions. They must also be able to provide clear documentation showing which users had access to which systems when, and what data and systems were able to be accessed by each user.
3. Regularly Assess Your CSP Supplier
Without the threat of government regulation regarding information security measures, compliance in the cloud is driven by best-practice standards and customer demand. If customers regularly request a particular audit certification an organization does not yet have in place, they may consider expanding their compliance program to fit the market need. Continue to regularly assess your CSP to make sure that they are renewing their compliance certifications on a regular basis and have not abandoned a compliance program that was important to your business.
- Overcoming the complexity of compliance
- Data security and compliance: why prevention is better than cure
- 50% of companies are failing payment security compliance
- Security and compliance in the age of cloud-first working
Getting the flexibility and benefits of the cloud, as well as the compliance you need, takes consideration and planning. Don’t settle. From the beginning, ensure you work with a cloud service provider which has your compliance and audit needs in mind. You want a provider who puts you first and wants you to benefit from the cloud. Find a provider that will keep your organization in compliance and protect you and your customers’ sensitive data. Make sure they have the experience, skills, staff, and processes to deliver on your specific compliance needs.