For traditional data center operations, security and compliance requirements have always been operational overhead. Traditional data centers are under unique stresses in today’s world. There are pressures to make data centers more flexible and adaptable to business needs—such as rapid deployments of new technology or solutions—or to meeting changes in regulation or compliance with security rules.
The data center typically has increasing demands that stress both the operations and budgets of most businesses. Due to these challenges, companies are looking to transition operations to the cloud. The ability to deploy solutions rapidly in an on-demand cloud infrastructure may sound irresistible—until the operational, compliance, and security components challenges are added to the requirements.
Data center operations should examine the changes in compliance maintenance that take place when traditional data centers are moved to cloud operations. Cloud service providers offer a range of services that include compliance and security features, but you should approach these with some professional skepticism.
Your business is responsible for compliance and security, even if you outsource part of it. You should prepare to do the hard work of verifying a cloud offering’s security and compliance components rather than taking them at face value.
When compliance programs are designed and applied carefully, they can be enhanced by cloud offerings. With appropriate planning and a mature cloud offering, businesses can use expansion into the cloud as an opportunity to grow.
Compliance in Traditional Data Center Operations
To understand compliance and security issues for a cloud migration, it’s important to first examine the processes and procedures in place for your on-premises data center. For traditional data center operations, a compliance program typically includes the platform (the operating system or network) and the application.
On-premises management of controls has been considered an advantage, with a possible cost benefit over outsourcing IT functions and compliance in the cloud. However, cloud services can be part of a larger strategy to outsource some of the operational costs and overhead investments for security and compliance in the data center.
As most data center managers will concede, security is an ongoing challenge as data centers update technology and address resource constraints and the increasing number of compliance requirements.
For instance, in an integrated cloud solution with high-security requirements, it might be possible to lessen costs and management of controls such as access management, encryption, and monitoring within your cloud portion of the solution. It is important to consider challenges as well. Operationally isolating systems can increase other costs—such as compliance monitoring, specialized personnel training, and duplication of other controls for the “data center within the data center.”
Compliance in Cloud Operations: Some Practical Advice
As you plan, it’s useful to keep these recommendations in mind:
- Clarify the services and functions that would move to the cloud. The cloud is a broad concept of outsourcing operations with a variety of models. These range from:
- Hosting internet sites, typically called Software as a Service (SaaS).
- Providing network and server operations with Infrastructure as a Service (IaaS).
- Providing development tools and engineering applications with Platform as a Service (PaaS).
- Almost any combination of outsourced support, from 0-100% of the traditional data center (often called hybrid).
However, cloud architecture may be very different from your legacy configurations. Overlooked operational gaps can introduce costly new controls. Consider the operational and compliance impact of the cloud offering. For instance, a hosted solution typically means the cloud provider will host and manage your solution on their systems. This means the cloud provider will maintain the hardware and base operating systems software, but it may not include application administration, database hosting, or configuring connections back to services in your data center. Another example is that using the cloud for internal data center backup operations (a hybrid approach) may provide multiple sites and redundant communications channels to ensure backups are performed in a timely, recoverable manner. Testing and verification of backups, a compliance requirement, may not be part of the service provided.
- Engage your security engineering team early. The challenge for many organizations is that moving to the cloud may create knowledge gaps. Changes may require training or awareness to ensure you address security and compliance. For example, certain compliance programs may have technical requirements for multiple providers, where duties and responsibilities must be kept separate—such as FedRAMP-certified environments, which require continuous monitoring and separation of function. Staff should be provided with training or time to learn about the control requirements and should become part of engineering a solution that works with your business needs. For many organizations that already have a data center and security monitoring, the question may be which security control functions a cloud provider should perform. For instance, monitoring and alerting, and patching and provisioning secure systems, may be better undertaken by the cloud provider.
- Work with compliance/legal as part of the cloud initiative. You will find cloud vendors well aware that customers often need to run in a compliant environment. Many cloud providers, such as AWS, Azure, and Google, are already certified for ISO 27001, SOC2, and other traditional compliance certifications. However, this can be confusing, as these certifications are for their systems, not yours. While you can effectively “inherit” their compliant status, it is because you are outsourcing/contracting for that, and you should validate their certifications as part of your supplier management program. For instance, running on a vendor’s SOC2-certified offering does not automatically make your application SOC2-compliant. If your application requires SOC2 certification, the portions of operations that you do not outsource will still be required to meet SOC2 controls, and the outsourced controls will be examined as part of your certification. When a vendor offers system controls that can be used in your certification environment, such as the enterprise accelerator-ready controls offered by AWS, a security operations team must still verify and monitor them.
- Finally, you need to carefully control access to and management of cloud services. A common problem with early cloud service adopters was their failure to control access to cloud resources. This led to inadvertent data loss and cost overruns. Remember that cloud vendors do not stop customers from using their services in an insecure or non-compliant manner. Most cloud providers do offer assistance to organizations to help them understand their compliance posture and actions they can take to reduce their compliance risk.
Compliance Programs Are Addressing Cloud Environments
A number of changes in compliance programs are beginning to address possible new risks to organizations approaching cloud offerings. Here are some updates:
FedRAMP is one of the most prominent federal initiatives designed to make the cloud more attractive to federal agencies and organizations, and to serve as a replacement for expensive federal data centers. A business that sells a solution (e.g., a hosted application) to the US federal government may find itself pushed to certify that it is in compliance with FedRAMP requirements. The advantage is that any federal organization, once certified, can procure your application as a secure cloud offering more rapidly than with the traditional procurement process.
AICPA/SOC2 is a very common certification/compliance program used to ensure the security functions of a company that stores or processes customer data. SOC2 updated its program in 2019 to address protection of data in the cloud.
ISO 27001/27002 is an international standard and certification program for businesses running secure IT programs. It defines secure principles for technology operations, including risk and governance. ISO 27017 is an addendum to ISO 27001 for cloud services, and it provides guidance to address security within the cloud.
The PCI Security Standards Council is an authority governing the use of payment cards for banks, vendors, and industry processors. PCI produces the PCI DSS standard and has authored additional guidance on cloud security.
Many people point out that the cloud is really not new technology, but rather, a new way to manage technology. Using the public cloud makes it necessary to outsource functions, so it will and does affect security and compliance.
Some immediate advice is as follows:
- Clarify your own architecture and security and compliance controls.
- Discuss with cloud service providers what they mean with their offerings, comparing their “compliance” support with your actual needs.
- Ensure you examine compliance program guidance that addresses the compliance-related challenges of migration to the cloud.
- Ensure you have your compliance/legal teams address the impact of the compliance program and other security-risk management changes that using the cloud will introduce.
These initial steps will uncover some of the gaps for traditional data center operations that consider cloud offerings. It is important to work with the cloud vendor to address your security and compliance posture and to ensure your security controls are integrated with the vendor-provided controls.
Additionally, successful cloud integrations are often enhanced by the use of third-party products and services to help with security gaps or compliance requirements. For instance, runtime Cloud Workload Protection Platforms like Intezer Protect support organizations in securing their cloud environment, while also achieving compliance.
Implementing Intezer Protect for cloud workloads can help you maintain compliance while transitioning to the cloud. Learn how