I will not start this article with the narrative of we need to be ‘cloud-in’ or we need to be ‘digital first’. That account has been recapped many times over. Most organisations are already cloud-in and have been for quite a while now.
So, I am making the assumption that you are already cloud-in, and ‘all-in’ at that. This piece is more about the importance of being secure and being compliant while being all-in to the cloud.
It is a piece of NEWS we frequently encounter nowadays. A cloud security breach or incident takes place and sends the organisation into turmoil. Denial of service, stolen organisational data, hijacked customer data, legal fees, customer fury, bad press etc. You get where I am going with this. It is a downward spiral. One that most organisations want to avoid and often don’t take all the necessary measures to avoid.
Over recent years, plenty of media stories have surfaced highlighting the devastation caused by cloud security breaches.
Security and compliance are matters now so critical that it is leaving IT leaders in the quagmire of whether to be, or remain, all-in to the cloud, or not.
Storing business data and especially client data, or personally identifiable information (PII), in the cloud can be fraught with risks if you are new to cloud computing and especially if your migration has not been well thought through and robustly executed.
Although all cloud computing vendors provide the technology, tools and resources to secure their cloud infrastructure, ensuring security in the cloud is a shared responsibility between the organisation and the cloud vendor. Furthermore, it is quite different than securing your on-prem infrastructure. Add to this multiple cloud providers and various cloud philosophies (hybrid, private, public, distributed, multi, edge etc) and the security situation becomes that more complex and resultantly fraught with higher risk.
Achieving security and compliance in the cloud is not an easy feat. It comes associated with its challenges. To be certain that your organisation’s security and compliance standards are on point in the cloud, you must overcome the challenges.
The Challenges Associated with Cloud Security and Compliance
To address the compliance requirements, organisations must first address the matter of security since the controls necessary to achieve compliance are often implemented under the realm of security.
Various security challenges affect the success of compliance, be it in the cloud or on-premises
Inconsistent operations: When it comes to operations, inconsistency is causal to inefficiency. Irrespective of the industry, regardless of size of operations and immaterial of whether you provide products or services as your core business the more standardised your operations, the better off you are. As organisations move to the cloud, they must migrate the operational security and compliance functions from their on-prem play to their respective cloud services. From a compliance perspective, the more that organisations drive consistency of operations with automation, the easier it is to respond to audit requests and enforce security, and consequently be compliant.
External threats: Today’s organisation is confronted with threats of varying magnitude and severity. Cyber threats, data attacks, denial of service etc represent a relentless source of sophisticated exploits aimed at targeting your organisation’s information. Threat causal factors can take a mix of methods to compromise systems and infrastructure for gain. With the workforce becoming increasingly mobile and now remote work becoming rampant, it has become easier to attack organisations when their edge systems are attached to insecure networks outside their sphere of control.
Information opaqueness: Historically, it was rather easy to see where organisational data lived. It was in the company’s data centre, living in database management systems orchestrated by the firm and leveraged by company built or managed enterprise applications. The scene has changed somewhat. With the proliferation of mobile devices—now defined as edge computing—and the increasing use of cloud-based applications and services, critical corporate information is more dispersed than ever. With additional regulatory requirements involving global data residency, getting a single view of your data is more challenging than ever.
Compliance in the Cloud is a Shared Responsibility
Many organisations assume that once data resides in the cloud, the responsibility for its security shifts entirely to the cloud provider. This is not accurate. The responsibility of keeping the data secure and for maintaining compliance in the cloud is a shared responsibility between the cloud provider and the organisation. Pertinent to note that the higher up into the cloud stack an organisation subscribes to, the more security compliance functionality is built-in. For instance, a SaaS application provider offers various additional security and compliance features atop of the security of the infrastructure and platform. However, in this shared-responsibility framework, it is still up to the customer to implement and use those security and compliance features to ensure that its existing on-premises security policies extend to the cloud.
The issue of Cloud Compliance
Compliance is one of the key reasons many organisations hesitate to execute a cloud-first strategy. However, a robust understanding of how compliance can be achieved in the cloud enables companies to capitalize on the business agility and growth that the public cloud provides. With a complete understanding of how compliance can be attained in the public cloud, even the most heterogeneous organisation can operate in an ever-changing regulatory environment.
Think Cloud Security First
I see many organisations migrate their on-prem workloads to the cloud and then start the security conversation. Eventually, they get around to the ‘are we compliant’ conversation too. I strongly suggest to the clients we work with that they take a security-first approach. One that drives a state of continuous cloud compliance. These must not be siloed conversations. They must be cohesive conversations. Security that achieves continuous compliance must be woven into the cloud journey.
This achieves real and measurable security from inception. Thinking cloud security first allows remaining compliant. It also lowers the investment to achieve a robust security posture, curtails risk and in the process reduces the complexity of cloud operations.
A security-first model leverages tools and automation that helps maintain continuous monitoring and management of cloud security risks and threats. A cloud security first philosophy monitors security threats through real-time discovery, it understands security threats through deep insights, it helps act on threats through automated policies, processes, and controls and measures security and compliance results with robust reporting capabilities.
Start with the Right Cloud Platform
For an approach to be deemed as ‘cloud security first’, an organisation needs a cloud platform that manages cloud security and monitors the security posture, with continuity, against a defined set of security policies and compliance standards.
The right cloud platform provides an organisation a deep, holistic and universal view of all the cloud accounts the organisation houses. Furthermore, the right cloud platform helps generate regular compliance reports.
Compliance risks are identified and remediated effectively and efficiently by the right cloud platform. The right cloud platform provides end-to-end lifecycle compliance, monitoring and audit reports that cater to round-the-clock security management and compliance.
Security and Compliance in the AWS Cloud
AWS regards security as an extremely important and high priority matter. AWS customers benefit from a state-of-the-art data centre, which comprises network architecture built to meet the requirements of the most security-sensitive organisations. Security of the cloud is like security on-premises. The key difference in cloud scenarios is the organisation is not burdened with the costs of maintaining facilities and hardware. Since the organisation is not responsible for managing the physical servers and storage devices in cloud setups, software-based security tools are leveraged to monitor and protect the flow of information in and out of your cloud resources.
The AWS Cloud allows organisations to scale maintaining a secure environment while paying only for the services the organisation leverages. This equates to lowered security spend in a cloud setup, while compared to an on-premises environment.
As an AWS customer you inherit all the best practices of AWS policies, architecture, and operational processes built to satisfy the requirements of our most security-sensitive customers and get the flexibility and agility you need in security controls.
AWS’ Cloud offering enables a shared responsibility model. AWS manages security of the cloud component, and you, the customer organisation, are responsible for security in the cloud. This means that you have the responsibility and in the process, you retain the control of the security you choose to implement to protect your platform, applications, systems, and networks. Note that this is not different to how you would do it in an on-prem setup.
AWS provides you with the expertise and guidance through their personnel, online resources, and partners (such as PolarSeven). AWS also provides you with advisories for current issues and you can work directly with AWS when you encounter security issues. You get access to hundreds of tools and features to help you to meet your security objectives. AWS provides security-specific tools and features across network security, configuration management, access control, and data encryption.
Finally, AWS environments are constantly audited, with certifications from accreditation bodies across geographies and verticals. In the AWS environment, you can take advantage of automated tools for asset inventory and privileged access reporting.
Benefits of AWS Security
Keep Your Data Safe: The AWS infrastructure puts strong safeguards in place to help protect organisational privacy. All data is stored in highly secure AWS data centers.
Meet Compliance Requirements: AWS manages several compliance programs in its infrastructure. This means that segments of your compliance have already been achieved.
Save Money: Cut costs by using AWS data centers. Maintain the highest standard of security without having to manage your own facility.
Scale Quickly: Security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.
AWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs. This helps customers to establish and operate in an AWS security control environment.
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
SOC 1/ISAE 3402, SOC 2, SOC 3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018
AWS provides customers a wide range of information on its IT control environment in whitepapers, reports, certifications, accreditations, and other third-party attestations. More information is available in the Risk and Compliance whitepaper and the AWS Security Centre.
Security is like an onion with lots of layers to know and understand—it’s complicated! Implementing solutions on cloud platforms does some of the heavy lifting. We inherit physical and environmental controls, have shared responsibilities with patch and configuration management and responsibility on protecting customer information.
The security services and solutions provided are vast. PolarSeven can help you to navigate and ensure you are secure to your required compliance levels. We provide this via advisory services to discuss and understand your gaps, architect and delivery solutions to ensure best practices with follow on managed services to ensure continuous proactive monitoring and compliance.
Discover how PolarSeven can help.