In the recent CISO Mag Cloud Security Survey – June 2020, one of the questions posed to respondents was “What are some of the biggest security concerns raised when you choose a cloud service provider (CSP)?” A notable finding was that more than two-thirds of respondents stated that regulatory compliance is a key security concern when choosing a cloud service provider. The major cloud service providers — Amazon, Google, and Microsoft — address regulatory compliance head-on and painstakingly educate their customers on the shared responsibility model. This article will aim to help security leaders solve the dynamic and evolving problem with regulatory compliance on the cloud.
By Aj Yawn, Cloud Security Expert
An understanding of the shared responsibility model and its relationship to regulatory compliance will assist security leaders in preparing for regulatory compliance assessments when hosted on the cloud. Cloud security is a shared responsibility, this shared responsibility extends to regulatory compliance. The cloud shared responsibility model outlines that CSPs are responsible for the security of the cloud and customers are responsible for security in the cloud (securing the data they put in the cloud). Customer or CSP responsibility shifts depending on the cloud computing deployment type – IaaS, PaaS, or SaaS.
Regulatory compliance should be viewed through this same security shared responsibility model. The CSPs are responsible for maintaining and proving the regulatory compliance of the cloud, while customers are required to maintain and prove regulatory compliance of the data and applications they host in the cloud. The CSPs do a great job of demonstrating compliance and making this information available to its customers.
AWS, Microsoft, Google, and the other CSPs make information regarding their achieved compliance certifications readily available to all their customers. A quick glance at the three major CSPs security and compliance web pages, and you can see that they all maintain several recognized industry certifications such as SOC 2, ISO 27001, and HIPAA.
My CSP is compliant, how does this impact my organization?
These compliance certifications enable an organization to leverage the cloud service providers but they do not replace the cloud consumers’ requirement to perform their own third-party assessments. In certain instances, compliance frameworks allow organizations to leverage the controls in place at their CSPs for their compliance assessments. For example, in a SOC 2 assessment, you will see CSPs referred to as “subservice organizations.” This means that the CSP is implementing certain controls on behalf of their customers; these controls include physical and environmental security controls for the facilities where the data resides.
These physical and environmental security controls are only a subset of a complete cybersecurity audit. This is where customer responsibility begins with regulatory compliance in the cloud. The customer, your organization, is responsible to prove how they are addressing other common domains such as access control, risk management, onboarding procedures, termination, network security, change management, and vendor management. This is generally accomplished through evidence collection procedures, interview discussions, and observations with third-party auditors.
Ok, I understand shared responsibility, but what about data sovereignty? Is that shared too?
A regulatory compliance concern that is fairly common amongst security professionals as they are migrating to the cloud is regarding data sovereignty laws. In fact, 59% of survey respondents noted data ownership as a key security concern when choosing a cloud service provider and 47% of respondents cited data location as a security concern.
Data sovereignty is the idea that your data is subject to the laws and governance structures within the nation where it is collected. The concept of data sovereignty is closely linked with data security, cloud computing, and technological sovereignty. Understanding the shared responsibility model addresses data sovereignty concerns because you understand your responsibility and control with respect to the data hosted in the cloud. As a reminder, you, the customer, are responsible for security in the cloud. Specifically, you are completely responsible for your data. Pursuant to this responsibility, organizations have complete control over where their data is stored and how it is managed (backup, retention, encryption, etc.).
With a few clicks within the CSP management console, your organization can begin reaping the control and flexibility benefits that are inherent in the shared responsibility model.
Shared responsibility of the cloud is foundational to understanding cloud security. Armed with an understanding of this model, organizations can make smart and quick decisions when architecting solutions on the cloud. This clarity should also reduce the security concern of regulatory compliance on the cloud. As you understand where the line is drawn between the customer and the CSP, regulatory compliance becomes straightforward and easier.
About the Author
AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. He has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.