Data security compliance in the Cloud.
Data security Compliance in Cloud environments
With enterprises moving to the cloud due to the advantages offered like cost efficiency, flexibility, and ease of management, there arises the need to meet all data security compliance requirements in the cloud just like on-prem. With regulations like GDPR, HIPAA, PSC-DSS and standards like ISO27001 and NIST 800–53 that set minimum security and privacy standards for data still applicable in the cloud.
However unlike on prem setups whereby an enterprise has well defined physical and logical boundaries, in the cloud environment an enterprise has no physical access to network, storage and compute devices. Furthermore the cloud environment resources are shared with other external enterprises making the need for a well-defined, controlled and compliant environment very important. To ensure data security compliance in the cloud, the following considerations are recommended
Shared responsibility model
The Cloud shared responsibility model assigns compliance and data security roles to either the Cloud service provider or the customer depending on the model of consumption in use. For Infrastructure as a service (IaaS) and Platform as a service (PaaS), the service provider is in charge of the network and computer resource management while the customer is responsible for the configurations of their instance including the logical networks configuration, resource management and data security. These are however not the case in the Software as a service (SaaS) where the service provider is in charge of all Infrastructure & data security compliance requirements. Irrespective of the model chosen, the customer should clearly define their requirements in terms of privacy, confidentiality, integrity and availability which should be the basis of the SLA with the service provider.
a) Customer responsibilities
For Iaas & PaaS, the client needs to carefully select the relevant licensing features that allow them to architect their workloads with all the relevant requirements for data security and privacy requirements. Through cloud solutions like MS Purview users can classify data according to the different sensitivity levels and determine the sharing policies for their sensitive data. In AWS macie, users are able to discover sensitive data from their workload and assign relevant access policies on them to ensure that for instances no un-authorised user has access to health information. GCP has the Google DLP that helps customers identify, classify and protect sensitive data in the cloud.
The Cloud customers also need to configure security controls like logging and monitoring capability into their workloads following standard cloud security architectures like the CSA secure configuration framework. This can be implemented using tools like AWS trusted adviser to help identify potential security vulnerabilities in a cloud workload, Azure sentinel and defender for the cloud to detect potential attacks on the cloud depending on the CSP in use.
These can act as the source documents for incident response and compliance in terms of log retention. Cloud customers should also configure their cloud workloads to enable Compliance automation/ orchestration like automatic detection of sensitive data leakage from attached end points or file storage resources. Cloud service customers should also carry out frequent vulnerability assessment of their workloads to enable them detect misconfigurations, excessive privileges assigned and irregular access to resources.
b) Cloud Service provider responsibilities
All the three major CSPs provide different points of presence and availability zones that help with disaster recoveries and geographical data security and compliance requirements. For instance, If there is a limitation to the transfer of personal data from the EU region as required by the GDPR, there are several availability regions within the EU established by the CSPs to ensure that there is sufficient disaster recovery capability but also that the data remains within the EU. This therefore makes the customer compliance inbuilt into the design at engagement point. Further, All service providers should carry out an independent assessment both internal and external to their infrastructure to ensure compliance with the relevant cyber security, data security & privacy requirements and this report should be provided as system & organizational controls (SOC 2) to the cloud customers to provide an assurance that their sensitive data is securely processed in the cloud.
Defence in depth / Compliance by design
The concept of defence in depth is more relevant in the cloud environment due to the fact that the clients have no physical control of both their data and compute instances and therefore have to enforce all controls logically.
1. Proper resource provisioning
This begins with the correct provisioning of the instances with the right capacities provisioned and appropriately secured through logical access control lists on the firewall configuration. This includes the logical security controls like Firewalls e.g. Azure sentinel, Defender for the cloud, Implementation of VPN access from external users.
2. Identity & Access management
The identity & access management (IAM) is the next most important requirement of the defence in depth that ensures only permitted users have access to the cloud instance. Through access packages in the case of Azure, users can set very fine grained access to cloud resources to ensure that only those with the required permissions have access to resources. Other IAM controls include MFA, authenticator applications for added security of the access management as well as just in time access through privileged access control.
3. User training
Lastly, the users of any system continually are the weakest links in any Cyber security program and the users need constant task oriented training to ensure they continually understand the data security risks they are exposed to and how to protect themselves from threat actors.
