Achieving Cloud Data and Compliance: How You Can Make It Work
Published 07/19/2023
Originally published by Dig Security.
Written by Benny Rofman.
When it comes to sensitive data, the ‘wild west’ approach that characterized the early 2000s is long gone. Dozens of data protection frameworks have emerged amidst increased regulation and concerns over privacy, security, and identity theft. These frameworks create obligations for businesses, and violations can result in legal liability, fines, and higher insurance premiums. Hence, compliance has become a critical priority and an area of focus for engineering, security, and legal departments.
When it comes to the cloud, things get complicated. Compliance frameworks demand tight control and visibility over sensitive data, which can often be at odds with cloud adoption and data democratization. This article outlines several strategies to help bring cloud data under the compliance umbrella through culture, technology, and security practices.
Staying compliant is no easy task
Businesses that handle sensitive data need to comply with multiple complex frameworks that govern the way they handle, process, and secure this data. We have collected some examples in the table below (note that this is not meant to be a comprehensive summary):
Framework | Applies to | Data protection requirements |
Organizations processing personal data of EU residents | - Data protection by design and default - Obtain user consent for data collection and processing - Provide users with the right to access, correct, and delete their data | |
Healthcare providers, health plans, and clearinghouses; organizations that handle or process protected health Information (PHI) | - Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, or maintained - Implement physical, technical, and administrative safeguards for PHI - Limit access to PHI | |
Service organizations (including SaaS companies) that store, process, or transmit customer data | - Implement security, availability, processing integrity, confidentiality, and privacy controls - Obtain an independent audit of controls and procedures | |
Businesses that store, process, or transmit cardholder data | - Securely store and transmit cardholder data using encryption and tokenization - Implement strong access control measures, including authentication and authorization |
A midsize or larger organization will unavoidably need to comply with several frameworks – either due to legislation (GDPR) or industry standards (SOC 2). For companies that operate in highly-regulated industries, the compliance overhead can easily be multiplied.
While compliance requirements have become more stringent, the cloud has made data protection more difficult. Digital data collection, decoupled storage and compute, and the trend of democratizing access to data, all combine to encourage ‘data hoarding’ behaviors. Companies want to collect and indefinitely retain any data they can get their hands on, and it’s easier than ever to spin up new data services and move data between environments. This creates an ongoing operational challenge to understand which sensitive data the company stores, where (and how) it is stored, and who has access to it at any given moment.
In the next sections, we’ll outline the key challenges in cloud data compliance, and suggest ways to overcome them.
Enforcing accountability in sprawling cloud environments
Responsibility over compliance is shared by multiple stakeholders. In most enterprises, there is a clear delineation:
- Compliance departments set and oversee the policies, alongside legal and risk.
- Cloud engineering and security teams are responsible for implementing the tools and technologies needed to comply with said policies.
- Data owners (business or engineering units) need to ensure their requirements for collecting and retaining data are realistic business needs.
- Data security and engineering teams need to modify or build data pipelines in order to avoid violations.
- HR is responsible for educating new employees on data protection policies.
The problem is that even though responsibilities are typically well-defined and clear, in practice they are difficult to enforce. Cloud data does not typically live in a single monolithic data warehouse, but rather is spread across a variety of purpose-oriented data stores – object storage, virtual machines, and managed services. Much of this infrastructure is managed by third parties, and cannot be monitored by agent-based solutions. Access to data has also been democratized, which means it is rarely managed exclusively by a centralized IT team. All these factors create ample opportunities for non-compliance, and make effective enforcement and monitoring nearly impossible.
Companies should build robust, technology-enabled processes to increase visibility over cloud data. Security and compliance teams need to have a single place where they can monitor all sensitive data assets, identify risk exposure, and map required controls (such as encryption or anonymization) to the relevant framework. Data flows between environments and storage locations should be clearly understood in order to identify all compliance-related assets and the relevant data owners, and to swiftly remediate violations.
Addressing the human factor – education and automation
Compliance efforts often get sidelined by cultural issues and misaligned incentives. The people working with data - business analysts, executives, or engineers - want to use data to increase productivity or unlock new revenue opportunities. Compliance is not part of their job description.
There are few rewards for reporting a policy violation – in fact, it might entail further headaches in the form of audits, investigations, debriefs, and finger-pointing. Employees (who aren’t security professionals) might turn a blind eye to non-compliant practices, justified by the need to get the job done and not be held back by red tape.
Businesses need to continuously engage and educate stakeholders to encourage a culture of transparency. This can be achieved through regular training sessions, workshops, and open communication channels, including anonymous ones. Employees need to understand that there is no penalty for reporting a violation, even if this results in deadlines being pushed.
At the same time, CISOs should explore automation that removes dependency on the human factor. Security teams should be able to detect and classify sensitive data in any cloud data store that’s managed by the business - including shadow data assets which tend to go under the radar. While this will not remove the need for education and oversight, it can simplify the ability to identify violations and delegate tasks to data owners, while minimizing reliance on the good will of employees.
Confronting the complexity of cloud environments
The proliferation of cloud services, infrastructures, and platforms make it difficult to maintain visibility and control over sensitive data. It’s common for modern enterprises to rely on multiple public cloud providers for different analytical use cases. Even a relatively small company might run its marketing analytics in Google BigQuery, its customer-facing dashboards in Snowflake, and use Amazon’s S3 and Athena to analyze system logs. Data regularly flows between services, including sensitive data that needs to comply with residency, access control, or other compliance requirements.
And this is still a simple scenario: things get considerably messier when you add microservices, containers, and ephemeral databases spun up on virtual machines. It’s very easy for non-compliant data or misconfigurations to ‘hide’ in this intricate web of storage, analytics, and data processing tools.
In order to achieve continuous data compliance, organizations need cybersecurity solutions that are focused on data. Data loss prevention solutions need to adapt to the realities of the cloud to provide agentless, context-aware, and timely protection of sensitive data assets – while cutting through the inherent complexity and data sprawl that comes with the use of cloud services.
Preventing compliance violations and protecting sensitive data with DSPM and DDR
Data security posture management, along with data detection and response solutions, play a key role in protecting sensitive data, ensuring compliance requirements are met on an ongoing basis, and preventing data breach incidents. In this section, we’ll explain how you can use these tools as part of your compliance strategy.
Classify your data
Use DSPM to automate data discovery and classification in order to gain a comprehensive, up-to-date understanding of your sensitive data landscape.
- Identify any cloud database or blob storage location that contains sensitive data
- Track data as it moves between storage, processing, and analytics services
- Inventory all sensitive data assets, including structured and unstructured data
- Map data assets to relevant compliance standards or controls, and determine which data assets fall under specific regulations – e.g., GDPR, HIPAA, or PCI DSS)
- Identify the controls that apply to each data asset, such as encryption, access control, or data retention policies. For example, GDPR requires you to identify and protect personally identifiable information (PII); PCI DSS sets specific requirements for payment cards.
Prevent misconfigurations that can affect compliance
Misconfigurations are a common cause of security vulnerabilities and compliance breaches in cloud environments. However, security teams are already overwhelmed, and chasing every misconfiguration across hundreds of cloud data stores is unrealistic. DSPM allows you to narrow your focus to sensitive data that can pose a compliance risk.
- See who has access to compliance-related data and remove unneeded permissions. You want to implement strong access control policies and ensure that access to sensitive data is granted on a need-to-know basis, following the principle of least privilege.
- Find unencrypted data: various frameworks, including the CCPA, require business to encrypt sensitive data in transit and at-rest. DSPM tools can highlight unencrypted data stores.
- Monitor for configuration changes: Use real-time data detection (DDR) to get alerts when sensitive data is exposed through a change in permission, encryption, or replication settings.
Respond to compliance incidents on time
Compliance isn't just about passing an audit. You want to maintain a proactive approach and address issues when they arise: longer periods of non-compliance (e.g. between audits) increase risks and potential liabilities. Remediating violations and incidents in real time minimizes the length of non-compliant periods, reduces the potential for data breaches, preserves customer trust, and helps avoid hefty fines. Data detection and response capabilities allow you to tackle the most important policy violations promptly and effectively.
- Monitor sensitive data in real-time: DDR allows businesses to detect unauthorized access, changes to access controls, or data exposure. For example, data might be moved from a production environment within the EU to a dev environment outside of the EU – violating GDPR data residency requirements. Real-time monitoring enables security teams to respond quickly and mitigate the risk before it turns into a major incident.
- Streamline incident response: DDR solutions allow organizations to prioritize incidents based on their risk level and automatically generate alerts for high-priority events. This ensures that security teams can focus on the most critical incidents and mitigate them in a timely manner.
- Automate remediation flows by integrating your DDR alerts into SIEM and SOAR platforms.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024