Learn how to maintain the speed of cloud operations in the face of regulatory complexities.
Rapid7云风险完成Cloud compliance – or cloud security compliance – is the process of ensuring cloud environments, 以及其中发生的操作, 坚持具体 监管标准 affecting the industry in which a business is operating. 的re are typically a number of cloud compliance st和ards to which a business must align, 和 it is incumbent upon security compliance personnel to configure 和 use cloud services in a way that complies with the applicable directives contained within the 云安全 Alliance Cloud Controls Matrix (CSA CCM).
据云安全联盟称, “the CCM can be used as a tool for the systematic assessment of a cloud implementation, 和 provides guidance on which security controls should be implemented by which actor within the cloud supply chain.“因此, depending on the industry a company is engaged in, there are powerful pre-existing frameworks teams can follow to ensure they stay compliant as the majority of their operations move into the cloud.
自动化云遵从性 wherever possible is necessary in today’s environments, especially in heavily 监管 sectors like healthcare, 金融服务, 和能源. Worthwhile cloud compliance tools should be able to detect compliance drift from the specified organizational st和ards 和 quickly reset environments to an overall “state of good.“这不仅节省了时间和金钱, but can lower the chances of getting run afoul of regulatory bodies.
From state/territory-specific to nationally recognized compliance st和ards affecting multiple industries, there are many legally required – 和 some heavily suggested – regulatory frameworks out there. Let’s take a look at some of the more commonly known st和ards to which a wide swath of overall global commerce must adhere:
的se benchmarks are created by the Center for Internet Security (CIS), a not-for-profit organization that helps organizations improve their security 和 compliance programs. 的 CIS aims to create community-developed security configuration baselines, or 独联体基准,用于IT和安全产品. 的 benchmarks span applications, cloud-computing platforms, operating systems, 和 much more.
欧盟 一般资料保护规例(GDPR) requires the protection of personal data of EU citizens, regardless of the geographic location of the organization or the data. This includes 技术 和 organizational measures that are regularly updated to ensure the amount of security is appropriate to the current level of risk.
的 Federal Risk 和 Authorization Management Program (FedRAMP) is a US federal government initiative that provides a st和ardized approach to security assessment, 授权, 以及对云服务的持续监控. FedRAMP’s aim is for companies to leverage modern cloud solutions 和 technologies safely 和 securely – particularly where federal information is involved.
这个标准来自于 美国注册会计师协会, 和 defines reporting guidelines for how businesses should manage customer data. 的se reports can help organizations manage vendor supply chains, 实施风险管理流程, 和更多的. 的y are aimed at a wide swath of stakeholders 和 should contain digestible, st和ardized language.
的 Health Insurance Portability 和 Accountability Act (HIPAA) requires businesses that h和le patient medical records 和 other protected health information (PHI) to effectively safeguard that information against security breaches. HIPAA安全规则详细说明了管理, 技术, 电子PHI (ePHI)的物理控制. Due to the sensitive nature of the data the st和ard covers, the US government required compliance with the security rule in 2005. 特别值得注意的, HIPAA Part 2 was issued in 2022 和 essentially protects “records of the identity, 诊断, 预后, or 治疗 of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, 培训, 治疗, 康复, 或研究, 这是进行的, 监管, or directly or indirectly assisted by any department or agency of the United 状态s.”
ISO / IEC 27001 is a cloud security compliance management st和ard jointly published by the International Organization for St和ardization (ISO) 和 the International Electro技术 Commission (IEC). ISO / IEC 27001 specifies security management best practices 和 comprehensive security controls for information security management systems. It is an optional st和ard that some organizations choose to implement, both to benefit from the best practices it contains 和 to reassure customers that a comprehensive risk management solution is in place.
把最后一点再深入一点, it’s often a good idea for an organization to take a compliance program a step beyond what’s required, instituting additional measures specific to their business needs 和 unique environment. Building these types of custom guidelines to overlay onto existing compliance programs is a proactive measure that will yield benefits beyond simply remaining compliant to the required regulations.
Things have changed from the days of old when cloud operations were novel 和 no one understood the complexity of tuning those operations to their specific organization or remaining in compliance with 监管标准 of the day. 然而, there are complexities to be aware of that come with the many benefits of a move to cloud operations.
As an organization undergoes a “great transformation” into cloud operations, a key challenge is a lack of unified visibility across its environments. This issue can 和 does also extend to human users, as far as keeping track of who has access to data, 他们在哪里可以访问, 以及他们这样做的频率.
Cloud breaches are most commonly caused by misconfigurations. Gartner has even noted that 95% of cybersecurity breaches are caused by cloud configuration errors. 有些是由人类引起的, others happen because there is an assumption that defaults in the platform will catch issues, 和 still others come from the desire to make resources easier to access. Organizations must implement controls to prevent or detect 和 remediate these errors to avoid a data breach.
通常, third-party auditors must attest to the controls an organization has put in place that help it align with certain 监管标准. 要求, organizations must provide letters of attestation from those third parties that validate secure cloud operations practices, as well as certifications that they meet certain sector-specific 监管标准. 认证s are typically good for several years, while attestations speak more to the continuous 和 ongoing nature of compliance.
Accelerating into the cloud without caution often brings complexities that can cause more harm than good. Cloud environments are extremely ephemeral, while legacy/on-prem systems are much less so. When an organization accelerates into the cloud, they often don’t know exactly what to do with those legacy systems, 但它们仍然需要管理. This is where things can get tricky for a DevOps team. Making things even more complex are exemptions – a resource or workload that is exempt from a given st和ard. 的 lack of a mechanism to exempt a resource can lead to many false positives that could cause unwanted 和 costly disruptions.
Let’s now take a look at some best practices 和 overall good hygiene that can counteract some of the bigger challenges in aligning to 监管标准 和 maintaining compliance in the cloud.
数据加密 transforms the original format of the data into something that is unreadable. 服务,如 谷歌云平台(GCP) always automatically encrypt customer data after it is received, but before it is written to disk 和 actually stored. Another example is that of credential encryption by cloud security providers; there are often several layers of decryption that must occur before those credentials can be used.
说到凭据,原则是 最低权限访问(LPA) ensures that access is granted to only the humans or programs that absolutely need to work on a specific task in the cloud. Solutions leveraging LPA will typically employ automation to tighten or loosen permissions based on the user's role.
落实 零信任 is a h和y way to help keep a cloud environment ultra secure. 每一个人, 端点, 移动设备, 服务器, 网络组件, 网络连接, 应用程序工作负载, 业务流程, 数据流本质上是不可信的. 的y each must be continuously authenticated 和 authorized as each transaction is performed, 和 all actions must be auditable in real time 和 after the fact.
的 principle of a well-architected framework in cloud operations essentially contends that there should be an agreed-upon approach for stakeholders to implement 和 evaluate a cloud architecture that best suits their business needs 和 priorities. 的 AWS架构良好的框架 is perhaps the most well-known example of this principle, 和 enables customers to identify high-risk issues.
2022 Cloud Misconfigurations Report: Latest 云安全 Breaches 和 Attack Trends