Cloud Compliance Standards: Frameworks & Controls
How to maintain compliance standards in the cloud
Cloud compliance might be the least exciting topic in the realm of cloud security. There are many standards and regulations to keep up with across industries and geographies — and the requirements for each can be detailed and, quite frankly, a bit mind-numbing.
But fear not! We’ve done some of the brain-blasting for you. In this article, we’ll review the major cloud compliance standards, certifications, and compliance controls so you can select and follow the ones most appropriate for your business. We might not be able to make compliance exciting — but with the right tools and approaches, we can make it less painful.
What are cloud compliance standards?
Cloud compliance standards include laws, regulations, and principles such as SOC2, PCI-DSS, and others, that companies operating in the cloud must follow to protect sensitive data. These standards come in many forms and can vary according to the industry and location where company operates, so it’s important to know exactly which standards apply to your organization, and how to configure your cloud resources and processes in order to stay compliant.
Which cloud compliance standards should I follow?
Your cloud provider is a good place to look for guidance when determining which cloud compliance standards apply to your company. AWS, for example, is compliant with PCI-DSS, HIPAA, and GDPR, among others, so you’ll want to make sure your organization follows suit if those regulations fall within your industry.
Take the time to look into the most common compliance standards and certifications and identify the ones that are applicable to your industry and region. Be aware that the region where your data is stored is part of the equation, so ensure you have that information from your cloud provider. Following the correct compliance standards for your company will go a long way in addressing cloud security challenges.
Wishing you had a cheat sheet for this information? Keep reading.
List of cloud compliance standards and certifications
Here’s a quick-and-dirty overview of the most common and frequently required standards for cloud compliance.
SOC 2
Industry: Services companies
Geography: International
SOC 2 is a compliance standard developed by the American Institute of Certified Public Accountants (AICPA). It was created specifically for service companies to help them navigate the safe, appropriate management of customer data. SOC 2 consists of five “trust service principles” that organizations should adhere to:
Security
Availability
Processing integrity
Confidentiality
Privacy
A SOC 2 audit can only be completed by an independent certified public accountant (CPA) or an organization that provides CPA services.
ISO 27001
Industry: All industries
Geography: International
ISO 27001 was designed to enable organizations to securely manage their information assets. While it is not a required standard from a legal perspective, many companies choose to meet ISO 27001 compliance to demonstrate to partners, customers, and stakeholders that they consider data security a high priority. Certification can be achieved by requesting an external audit from an accredited certification body.
HIPAA
Industry: Healthcare
Geography: U.S.
HIPAA stands for the Health Insurance Portability and Accountability Act. It was instituted in 1996 to:
Protect sensitive medical records of patients obtaining care in healthcare facilities
Restrict the usage and disclosure of patient information
Conserve a patient’s right to control the usage of their own information
In short, HIPAA allows appropriate parties (doctors, care providers) to use patient information for the benefit of the patient, while protecting that data from being exposed to outside parties.
NIST 800-53
Industry: Government
Geography: International
NIST Special Publication 800-53 is published by the National Institute of Standards and Technology and applies to the information systems of the U.S. federal government, agencies, and government contractors. It is a cybersecurity framework that aims to improve organizations’ security posture by applying safeguards that maintain the confidentiality, integrity, and availability of systems. The goal of the framework is to be flexible enough to support the priorities of any government organization.
GDPR
Industry: All
Geography: Protects the data of European citizens, but applies globally
The General Data Protection Regulation is a European standard that applies globally to any organizations generating or storing data about individuals residing in Europe. It is the most stringent set of data protection rules in the world. The seven principles of the legislation state that data should be:
Processed lawfully, fairly and transparently
Collected for specified, explicit and legitimate purposes
Adequate, relevant and necessary for their purpose
Accurate and up to date
Kept in a form which permits identification of data subjects for no longer than is necessary
Processed with integrity and confidentiality
Maintained with compliance and accountability
PCI DSS
Industry: Retail, e-Commerce
Geography: International
The Payment Card Industry Data Security Standard, or PCI standard, applies to organizations that process credit and debit card transactions. These policies and procedures were developed by the PCI Security Standards Council to ensure that credit card data is processed, stored, and transmitted securely. There are 12 requirements to maintain PCI DSS compliance, which include maintenance of firewalls, data encryption, restricting data access, and more.
The PCI certification process is quite comprehensive. To learn more, see these guidelines for securing the cloud for PCI review.
CIS benchmarks
Industry: All
Geography: International
The Center of Internet Security is a global community of cybersecurity experts who establish benchmarks to help organizations better manage cybersecurity. Their recommendations are globally recognized, and they currently have more than 100 configuration guidelines across 25+ vendor product families, including cloud providers, server software, network devices, and more.
The primary goal of companies implementing these benchmarks is to limit configuration-based security vulnerabilities. The full list of benchmarks can be accessed and downloaded from their website.
CSA cloud controls matrix
The CSA cloud controls matrix (CCM) is a framework that was built to provide guidelines for systemically assessing a cloud implementation. It covers 17 domains of cloud technology with 197 control objectives and is aligned to the CSA Security Guidance for Cloud Computing. The CCM is the leading framework for cloud security and compliance and includes:
CCM v4 controls
Mappings
CAIQ v4
Implementation guidelines
Auditing guidelines
CCM metrics
Cloud compliance controls
Cloud security controls help companies ensure that all the data within their infrastructure is as free from vulnerabilities as possible, in order to best protect it from malicious actors. Both you and your cloud provider are responsible for working together to verify that these controls are in place.
Here’s a quick overview of the primary cloud controls:
Deterrent controls: These controls are meant to “deter” bad actors from carrying out their plans. These can be internal or external communications or actions that warn of the consequences of committing a breach.
Preventive controls: Preventive controls include user authentication, closing open ports, and other activities that decrease the number of opportunities for attackers to invade your system.
Detective controls: Detection and monitoring tools are examples of detective controls. These controls seek out indications that an attack is underway and respond with predetermined protocols to mitigate the threat.
Corrective controls: Corrective controls attempt to minimize the damage in the event of a breach. They might include rebooting systems or removing access from specific users.
How Snyk can help with cloud compliance
Snyk IaC uses a unified policy as code engine to help teams develop, deploy, and operate safely in the cloud. Snyk IaC provides:
Guardrails for security and compliance across major cloud providers, to help teams adhere to policy at all times.
Continuous evaluation of your cloud environment, and infrastructure as code, for compliance with regulatory and internal security policies using real-time and historical reporting, packaged for security engineers and GRC teams.
Comprehensive, best-in-class cloud compliance right out of the box.
Coverage across major compliance standards: SOC 2, HIPAA, GDPR, PCI (or PCI DSS), NIST 800-53, ISO 27001, CIS Benchmarks (for AWS, Azure, Google, Kubernetes, and Docker), and CSA Cloud Controls Matrix.
Want to dive a little deeper into compliance solutions? Read about The Importance of Policy as Code in Your Compliance Strategy.
Automate cloud compliance in your developers' workflows
Snyk automates cloud compliance checks and generates reports for executives and audtiors.
Next in the series
SOC 2 Cloud Compliance Guide
What is SOC 2 and why is it important for your organization? Follow our steps to bring your cloud environments into SOC 2 compliance.
Keep reading