One of the most important considerations for any organization migrating workloads and applications to the cloud is ensuring that the cloud infrastructure they build on is secure. For many organizations, the need to meet certain compliance standards is not just a matter of conforming to industry best practices but, in specific instances, is required by law. Organizations that handle sensitive personal, financial and health data must verify that they have the proper controls in place to protect that data whether it resides in their own on-premise data centers or in the cloud and while it is in transit.
While it is technically possible to build secure applications on top of non-compliant infrastructure, it would be impractical for customers to do so. As a result, standards compliance is as much an issue for cloud infrastructure providers as it is for their customers. In fact, for most organizations, security standards compliance is a necessary precondition in the cloud vendor selection process.
Meeting the standards
There are numerous compliance standards, such as Payment Card Industry Data Security Standard (PCI DSS), ISO/IEC 27001:2013, HITRUST and SOC 2. PCI DSS, which is defined by the payment card industry to keep credit card information secure. PCI requires measures such as encrypting transmission of cardholder data and using a firewall to protect it. Any business that transmits, stores, handles or accepts credit card data—regardless of size or processing volume—must comply with the PCI standard. ISO 27001 is a more general international standard for data security. HITRUST is intended to ensure that organizations can safely handle healthcare information in accordance with HIPAA regulations. Perhaps the most common compliance standard for all cloud services providers is SOC 2. SOC 2 Trust Services Criteria outline a framework of control requirements that can be applied to all organizations storing customer data in the cloud, including all SaaS and IaaS companies as well as those using the cloud to store their own customer’s information.
Customers should expect their cloud infrastructure providers to make their annual SOC 2 Type 2 audit report (which should be prepared by an independent third party audit firm) available for review. SOC 2 Type 2 audits are comprehensive assessments measuring the operating effectiveness of controls for security, availability, confidentiality, and privacy of customer data. They provide customers with valuable information when conducting their risk assessments of cloud services providers. SOC 2 audit reports can assure customers that the cloud infrastructure vendor offers a safe, standards compliant and secure foundation for business-critical applications.
Beyond providing a common language and understanding for cloud infrastructure providers and their customers regarding the implementation of security controls, standards compliance is also seen as an indicator of the internal security culture within an organization. In fact, some customers who may not need compliance with a specific standard such as PCI may still ask for it (or a roadmap to achieving it) because it says something about the infrastructure provider’s operational effectiveness.
Another critical aspect of the cloud security equation is understanding the shared responsibility model. Cloud infrastructure providers typically spell out which aspects of the overall security framework they are responsible for and those that the customer must manage on their own. Generally speaking, infrastructure providers are responsible for protecting the infrastructure itself, including the people, hardware, software, networking and physical facilities that comprise the hosting platform. Customers are typically responsible for securing their own environments, including the guest OS, applications and data. For example, the infrastructure provider would usually be responsible for implementing identity management for systems and applications hosting the cloud platform, while their customers would be responsible for implementing identity management for systems and applications within their cloud environments. It’s essential for customers to know where their responsibility starts, and the infrastructure provider’s ends in order to prevent any gaps that could turn into vulnerabilities.
A compliant infrastructure makes it easier for customers to build secure applications that meet the same standards. Infrastructure providers can make the compliance process easier for their customers by becoming compliant themselves - not only does this make the digital world a little bit safer, it can also offer a competitive advantage.
Organizations often expend a lot of time, effort and money achieving standards compliance within their own applications, networks and on-premise infrastructure. For organizations operating in specific industries, such as financial services, the burden of maintaining compliance with standards such as PCI DSS can even be a roadblock to cloud migration (and the related benefits of performance, scale and business agility). By offering standards compliance, cloud infrastructure providers can reduce the risk and simplify the process for customers migrating to the cloud.