Almost half of all data breaches take place in the cloud. And it’s little wonder why with the massive migration of enterprise operations to cloud environments. This shift has also brought to light the pressing need for new audit and compliance measures to ensure the security of cloud data. Eric Kedrosky, CISO of Sonrai Security, explores the compliance frameworks and standards you need to know.
The migration of enterprise operations to the cloud has revolutionized the business landscape over the past decade and a half. However, this shift has also brought about a pressing need for new audit and compliance measures to accommodate the cloud landscape. With the explosion of identities, including both human and non-person identities (NPIs) and the distributed ownership of cloud resources across teams, managing identities, access and permissions has become an increasingly daunting challenge.
Being cloud-compliant means adhering to internal and external requirements, regulatory standards and industry guidelines within a cloud environment. Audits play a crucial role in achieving cloud compliance, whether for internal purposes or to satisfy external regulatory bodies. However, there are unique challenges present in identity-related audits and compliance standards that prove to be difficult.
Just look at the recent news surrounding the Toyota Motor Corp leak, in which Toyota acknowledged that the vehicle data of approximately 2.15 million users was publicly accessible in Japan for nearly a decade. What should have been private cloud data became public. If your cloud audit misses something this significant for months, let alone years, you could find yourself in a very bad situation.
The challenges of cloud audit and compliance
Several factors contribute to the complexity of cloud audit and compliance. First, the exponential growth of identities, both human and machine, makes maintaining control and oversight difficult. Lax permission governance models can leave room for the self-escalation of identity permissions and the creation of new NPIs by intruders in your environment, which can be manipulated and used for their intended action.
Additionally, the insecure provisioning of entitlements in cloud environments exacerbates the risk of unintended inheritance or impersonation. Poor management of secrets further compounds the challenge, as they are often stored in vulnerable locations, susceptible to compromise.
The ever-evolving nature of cloud infrastructure, coupled with the distributed ownership of resources across teams, adds another layer of complexity. Your cloud is constantly changing, making it insufficient to prep one-off for audits, and ownership over identity and access security is a gray area between identity access management teams, cloud teams, security teams and developers. As a result, managing audit questions and keeping up with compliance requirements becomes increasingly arduous.
Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals are tracked and monitored. EY’s Kapish Vanvaria argues that ESG leaders should make friends with their internal audit colleagues — for everyone’s sake.Read more
Key compliance frameworks and standards to know
To establish a robust cloud security posture, organizations must align their compliance efforts with industry-standard benchmarks and regulations. Some key cloud compliance standards include:
- CIS (Center for Internet Security Foundations Frameworks): Benchmarks for the secure configuration of systems
- PCI DSS (Payment Card Industry Data Security Standard): An information security standard for the processing, storage and transfer of credit card data
- HIPAA (Health Insurance Portability and Accountability Act): Security and privacy protection for personal healthcare information
- ISO 270002 (International Organization for Standardization): Information security management
- NIST 800-53 (National Institute of Standards and Technology): Security framework for federal agencies and programs
- HITRUST (Health Information Trust): Control measures and safeguards for private healthcare information (PHI)
- CSA (Cloud Controls Matrix): A cybersecurity framework for cloud computing
Building a strong foundation
To build a strong foundation for cloud audit and compliance, several key components should be considered. For starters, this should include tracking and collecting every event in the cloud environment by enabling audit logging. This step is critical to ensuring the availability of quality data for evidence gathering. It is crucial to safeguard the collected evidence from unauthorized access, deletion or tampering to protect the audit data.
Clear visibility is also essential. This involves maintaining a unified inventory of identities, data and infrastructure within and across cloud environments.
Finally, configuring cloud services to align with compliance requirements and maintaining the chain of custody is necessary to establish a robust foundation for cloud audit and compliance. Once you have the right foundational practices in place, audits can be completed without spending unnecessary time and resources.
The power of CSPM and CIEM
While there is no silver bullet solution for cloud audit and compliance, the combination of cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) tools offers significant advantages. CSPM tools, for example, help monitor for misconfigurations and/or changes that cause drift away from compliance. In conjunction, CIEM solutions enable organizations to inventory human and non-human identities in the cloud, determine their entitlements and monitor them for deviations, as well as enforce secure entitlement management when deviations are detected.
By leveraging CSPM and CIEM together, organizations gain comprehensive visibility into cloud posture and identities, reporting capabilities and the ability to address complex audit requirements effectively.
Cloud tools checklist
Successfully navigating cloud audits requires organizations to through the implementation of appropriate tools and processes. This involves setting baseline policies and mapping them to industry-standard frameworks to simplify compliance enforcement. It also entails providing valuable analytics to gain accurate visibility into access permissions and effectively address audit inquiries.
Organizations should be able to support complex questions by leveraging their ability to query cloud data and provide detailed responses to audit questions. Additionally, generating reports that demonstrate compliance alignment and adherence to specific policies is essential.
Continuous monitoring for changes is also crucial when it comes to identifying any access and configuration changes that might impact compliance. By fulfilling these requirements, organizations can navigate cloud audits with confidence and demonstrate their commitment to effective risk management and compliance.
Lastly, when it comes to effectively overcoming cloud compliance challenges, organizations should consider the following strategies:
- Take control of your controls: Establish a precise understanding of control implementation in your environment, recognize the characteristics of effective control and have a clear grasp of the signs of control failure.
- Show visibility: Demonstrate the ability to monitor and manage security controls effectively.
- Always be monitoring: Continuously monitor your cloud environment and ensure alignment with industry-standard frameworks.
- Build trust over time: Develop a consistent track record of understanding and proficiently managing controls, to earn auditors’ trust. This involves being adequately prepared ahead of time and providing clear, understandable evidence of your control management practices.