What You Need to Know About Cloud Compliance & Compliance Reporting
Date: 24 February 2022
Global spending on cloud services is expected to rise to $482 billion in 2022, up from $313 billion in 2020. And by 2028, the market will be worth well over $1,250 billion.
As more organisations move to the cloud to improve business agility and resilience, speed up time-to-market, and reduce costs, they naturally want to know about cloud compliance and compliance reporting. This brief article addresses some of these questions and concerns.
Does Compliance Matter in the Cloud?
In the recent past, many industry regulations and local/national laws have emerged around protecting consumer privacy and data security. Simply put, organisations are required to protect their customers’ data and privacy – or face the wrath of the law.
Depending on your industry, you may be required to comply with laws and regulations such as HIPAA, PCI DSS, SOX, or GDPR. Compliance means that your systems, processes, and workflows align with the requirements mandated by these regulatory regimes. But you need to remember that this need for compliance also extends to the cloud, so you must ensure that any data you store in your cloud infrastructure complies with all relevant data protection and privacy laws.
The costs of non-compliance can be very serious. Not only will you have to contend with hefty fines and possible lawsuits, but you may also even end up losing your reputation and your customers – which will impact your revenues and profitability.
So in a nutshell, yes, compliance does matter in the cloud.
How Can I Achieve Cloud Compliance?
To comply with the laws that apply to your business, you need to implement the right security controls. All laws have very specific rules and constraints about how companies can collect, store and process data in the cloud. To satisfy these constraints and ensure compliance, you should work with the cloud provider to implement strong controls.
In fact, many providers can support your compliance goals with their compliance offerings, resources, audit reports, dashboards, and even security controls.
If you already use standard security frameworks to guide your cybersecurity/information security program, you can leverage these standards to implement controls to secure your cloud and achieve regulatory compliance. After implementing these controls, make sure to train your employees to use them properly in order to protect data and maintain your compliance posture.
Many third-party companies also provide compliance reporting and auditing services to help organisations achieve compliance with various standards, assess their security postures, and prioritize remediations.
How to Assess Cloud Compliance?
After implementing the necessary controls to achieve compliance, you should also assess your compliance posture regularly. This is crucial to ensure that you continue to maintain compliance.
One way to assess compliance is to conduct an internal or external audit. An internal audit or self-assessment can yield useful results that can help you strengthen your compliance posture. But such audits are prone to bias since they are conducted by internal auditors. To generate a truly unbiased assessment, it’s best to get an independent third-party auditor to conduct an external audit on your cloud compliance posture.
Asking Providers for Cloud Audit Reports
Earlier we saw that as a cloud user, you are required to comply with relevant data privacy laws. Your cloud provider must also comply with these laws. To inform your own compliance goals and processes, ask your provider to provide their compliance audit report.
For example, ask for the SOC 2 audit report which is standardized by the American Institute of Certified Public Accountants (AICPA) and meant for service organizations like cloud providers. This report shows whether the provider has implemented the security controls required to comply with the AICPA’s five “trust services criteria”: security, availability, confidentiality, processing integrity, and privacy. In simple terms, the report shows whether the provider has the right controls in place to ensure data security and user privacy.
The SOC 2 type 1 report A shows the status and suitability of the provider’s controls at a particular moment. A type 2 report shows the operational effectiveness of these controls over a certain period of time. If the provider can’t or won’t share these reports with you – say, because they contain sensitive information – ask for the SOC 3 report which is intended as a general-use report but can still help you assess the provider’s compliance posture.
Some cloud providers like Oracle also provide “attestations” to show which of their cloud services have achieved compliance with different frameworks such as ISO 9001, SOC 1/SOC 2/SOC 3, PCI DSS, etc.
Cloud adoption undoubtedly brings many benefits for organisations. However, it also brings compliance challenges that can seem overwhelming. You can reduce this overwhelm by arming yourself with information – about which laws you need to comply with, why, and how.
Author: Raul Pascu - Raul Pascu is a cybersecurity consultant