Cloud Compliance Explained

Today, the cloud is the foundation for most development teams’ projects. In fact, Snyk's State of Cloud Native Application Security report found that over 78% of production workloads are deployed as either containers — the dominant mechanism for cloud native application deployment — or serverless applications. In addition, over 50% of the report respondents’ workloads get deployed with some form of infrastructure as code (IaC).

With this prevalence of cloud-based computing comes more compliance requirements. While cloud-provisioned development practices lead to better deployment velocity, easier management, and reduced costs, they also introduce unique cloud security challenges. Cloud services create a more complex and quickly-changing threat landscape than their on-prem predecessors. Add this concern to a growing list of regulations for compliance in the cloud, and it makes achieving an excellent cloud security posture more important than ever.

A few industry-respected sources like CIS Benchmarks, the 18 CIS Critical Security Controls, and the CSA Cloud Controls Matrix (CCM) provide insight into what excellent cloud compliance looks like. A few cloud security best practices include:

• Achieving environment visibility by creating an inventory of your software assets

• Embracing the principle of “shared responsibility” (as opposed to solely relying on your cloud provider to provide security)

• Establishing clear service-level agreements (SLAs) with your cloud providers and understanding how each provider handles your data

• Creating strong data protection via encryption and data processing standards

• Implementing role-based access control (RBAC), multi-factor authentication (MFA), and other account security measures 

Why is cloud compliance important?

For many, the main driver for compliance in the cloud is simple: avoiding fines and penalties. There are many more reasons to prioritize cloud compliance, however. Staying compliant with these laws and regulations contributes to a better security posture, which means a lower risk of cyber attacks. Plus, when closing deals with enterprise customers, many of them require proof that your whole business – including your cloud-based operations – is compliant.

Common laws and regulations

There are a number of laws and regulations to be aware of when it comes to cloud compliance. Here’s a quick list of some of the more important ones:

• Protecting customers’ personal identifiable information (PII). This could include following the Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR), depending on your business’s industry and global reach.

• Maintaining the secure configurations recommended by CIS Benchmarks, CIS Controls, and the CSA Cloud Controls Matrix (CCM).

• Adhering to security-related terms when working on contracts with third parties. An example of this could be following the regulations of Payment Card Industry Data Security Standard (PCI DSS) when working with credit card companies.

• Upkeeping information security standards such as ISO 27001.

• Correcting any findings that were uncovered during an external or internal audit, especially any failures to comply with a SOC 2 audit report.

What are the cloud compliance standards?

As mentioned, there are different standards that companies can choose to follow when it comes to managing cloud data. A few of the major standards include:

SOC 2

The System and Organization Controls (SOC) 2 reporting framework proves that a company has taken steps to protect its consumer data. When it comes to compliance, SOC 2 is one of the most important formal certifications that an organization can obtain. It focuses on evaluating five areas:

1. Security: Information and systems are safeguarded from anything that could compromise their availability, processing integrity, confidentiality, or privacy.

2. Availability: Systems are appropriately available for use, as directed by a contract such as a service level agreement (SLA).

3. Processing integrity: System processing runs well and achieves the right purpose — completely, smoothly, and in an authorized manner.

4. Confidentiality: Information designated as confidential is protected.

5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in a way that aligns with the business’s privacy policy and other external standards.

Learn more about SOC 2 compliance in the cloud here.

PCI DSS

PCI DSS focuses on securing both credit and debit card transactions against threats like data theft, breaches, or fraud. PCI DSS is considered a voluntary compliance framework, however, any company that processes credit or debit cards should consider aligning with these standards to protect sensitive payment data and build customer trust.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that protected health information (PHI) doesn’t get disclosed without the patient’s consent or knowledge. These standards apply to companies that interact with individuals’ medical or health-related information for any reason and are mandated by the U.S. Department of Health and Human Services.

Check out our article on cloud compliance standards and frameworks to learn more about the different compliance standards.

Cloud compliance on different platforms

While most public cloud providers (AWS, Microsoft Azure, etc.) take measures to institute solid security practices, they also rely on the idea of “shared responsibility”. The shared responsibility model of cloud governance states that both the cloud provider and the customer will conduct their own due diligence to make cloud-based operations as secure as possible. Here is how a few of the biggest cloud providers handle compliance.

AWS cloud compliance

AWS’s side of the “shared responsibility” model includes “protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”

In addition, AWS provides a few helpful tools that can jumpstart your cloud security program. For example, the AWS Well-Architected tool enables architects to build infrastructure that closely aligns with SOC 2 principles like operational excellence, reliability, and sustainability. Learn more about the shared responsibility model here.

GCP cloud compliance

Google Cloud Platform (GCP) also upkeeps numerous compliance standards. They routinely undergo independent verification of their controls to earn formal certifications for their products. Plus, they provide various resources and documentation for their customers to leverage as they work on their own reporting and compliance efforts.

The Cloud Data Loss Prevention tool is an example of a GCP compliance resource. It’s a data discovery service that helps companies discover, classify, and protect their sensitive data.

Microsoft Azure cloud compliance

According to Microsoft, “Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings) as well as depth (number of customer-facing services in assessment scope).”

Their website includes a comprehensive list of the compliance requirements covered on their end, along with options for services that can be added onto a customer’s Azure machines. One of these services is Update Management Center, which allows teams to centrally manage updates and compliance at scale.

Kubernetes compliance

Kubernetes strongly encourages its users to follow best practices that lead to compliance but leaves a lot of the security at the cloud level up to the customer and the cloud provider. To help with infrastructure security, they provide advice on implementing access control for the control plane, nodes, Cloud Provider API, and etcd (datastore of Kubernetes).

Best practices for cloud compliance

Regardless of which cloud platform(s) you use, there are a few next steps that your team can take to work towards strong compliance in the cloud and a better security posture in general.

1. Get familiar with your cloud setup

2. Break down compliance into a process

3. Repeat your compliance process

4. Leverage policies and policy as code for compliance, security, and data

5. Check your cloud provider’s compliance
   

1. Get familiar with your cloud setup

First, define which cloud environments and resources your engineering teams are using. Are you using multiple cloud providers across both private and public environments? Also, it’s important to gain an understanding of which data is stored in the cloud and who has access to that data across your organization. 

2. Break down compliance into a process

Rather than attempting to run compliance as a short-term project, see how it can be integrated into your everyday operations. More specifically, learn how controls and compliance standards should be applied in the context of your organization’s unique cloud systems. Here’s a simplified example of a cloud security process that your business can follow:

1. Determine your current state

2. Identify gaps

3. Remediate those gaps

4. Prove it out and monitor

3. Repeat your compliance process

Compliance is not a “one and done” exercise. There will constantly be new forms of data flowing into your systems, along with new environments being stood up across your organization. Because of this, compliance needs to be a habit, based on regular cadences and routine practices.

4. Leverage policies and policy as code for compliance, security, and data

One of the best ways to ensure that compliance becomes a routine activity is to institute policy as code (PaC) or cloud security posture management (CSPM). These types of automation can reduce the time and effort it takes to stay in compliance. PaC helps by codifying compliance standards to prevent users from performing actions that would not be compliant. CSPM helps companies automatically detect and mitigate security and compliance risks across cloud infrastructure, including hybrid, multi-cloud, or container environments. Find out more about cloud compliance tools in the next article of this series.

5. Check your cloud provider’s compliance

Most big providers (AWS, GCP, Azure) are compliant with leading standards, but you should check SLAs to understand where their coverage ends and yours should begin. Bottom line: Don’t make assumptions — make sure your bases are covered either internally or through your provider.

How Snyk can help with cloud compliance

Snyk IaC uses a unified policy as code engine to help teams develop, deploy, and operate safely in the cloud. We provide guardrails for security across major cloud providers and across the cloud SDLC, including infrastructure as code pre-deployment with the same policies that ensure running cloud environments are secure and in compliance.

In addition, Snyk helps businesses meet compliance goals by providing the following:

• Comprehensive vulnerability scanning that integrates seamlessly with your IDEs, repos, and developer workflows.

• OS Licence Compliance Management that allows developers to test OS licenses earlier in the SDLC, automates license scanning for PRs, tracks dependency paths, and more.

• Real-time reporting to help teams provide evidence of vulnerability scanning & fixes to auditors and prospective customers.

• Free and accessible security training to help development teams take control of their security education journey.

Finally, Snyk continuously evaluates compliance with regulatory and internal security policies with real-time and historical reporting, packaged for security engineers and GRC teams. We also offer a developer security platform, bridging the gap between application security and cloud security practices within your organization.

Take advantage of comprehensive, best-in-class cloud security compliance right out of the box — reach out to us today for a demo.

Cloud Compliance FAQ