What is Cloud Compliance?
Cloud compliance means complying with various laws and regulations that affect how you use and store data in cloud infrastructure. This covers any data protection laws that the organization is subject to. Major regulations include:
- The Personal Data Protection Act (PDPA), for organizations in Singapore
- General Data Protection Regulation (GDPR), for organizations that process data from EU citizens
It also covers different regulatory requirements depending on the industry the customer belongs to. For instance, healthcare institutions must comply with the Health Insurance Portability and Accountability Act (HIPAA), while businesses handling credit or debit card payments need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)
Finally, cloud compliance also covers cybersecurity frameworks that state best practices your organization can implement. Some examples of these best practice frameworks include:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework, which provides guidelines for US-based organizations in securing data and infrastructure.
- The Monetary Authority of Singapore-Technology Risk Management (MAS-TRM), similar to NIST and applicable to Singapore-based organizations
- Center of Internet Security (CIS) Benchmarks, an open source, consensus-based guidelines that provide a baseline for assessing your security posture
The Cost of Non-Compliance
By migrating to the cloud, you’re handing off at least some control of your data to your chosen Cloud Service Provider (CSP). While the CSP provides some basic security measures to protect your data, the responsibility for making sure your organization remains compliant solely falls on you.
Non-compliance contains a hefty price tag. This especially applies to highly regulated industries like finance and healthcare.
A report released jointly by Ponemon Institute and GlobalScape states that fines and other payments arising from non-compliance is as much as 2.71 times costlier than the average cost of compliance.
What are the costs of non-compliance?
- Business disruption: Regulatory bodies can force institutions to comply with regulations first before resuming operations.
- Revenue and Productivity Loss: Every day a business ceases to operate leads to money being lost.
- Breach of Trust: Customers don’t want to deal with non-compliant businesses.
- High Fines: Non-compliance can subject businesses to hefty fines. For example, non-compliance with HIPAA can result in fines of up to US$250,000 and 10 years imprisonment.
Creating Your Cloud Compliance Policy
With so many regulations and laws to comply with, it can get complicated for organizations to know how to start. But when it comes to cloud compliance, having something in place is better than nothing.
Here are some things to keep in mind when forming your compliance policy:
- Start with policies you already have in place. This gives you a concrete base on where to start.
- Be consistent. You policy must be aligned with what your organization really practices. Policies that nobody follows is worse than having no policy at all.
- Craft your policy with scaling in mind. Expound on the thought process behind the policy and set a reasonable cadence for evaluation.
- Share responsibilities across multiple business functions whenever possible. This shows that compliance is everyone’s responsibility.
- Consider any laws your organization is subject to. Make sure to craft your compliance policy with these in mind first.
- Next, continue with regulations that your industry needs to comply with. This especially applies if you’re in a highly regulated industry.
Choosing the Right Cybersecurity Framework
An established standard like the CIS Benchmarks is a great starting point for forming your policy. The Center for Internet Security (CIS) is an independent nonprofit providing best practices that help ensure security of cloud infrastructure and the data residing within it.
Why do we consider CIS Benchmarks as a good starting point?
- Open-Source: Anyone can access the CIS Benchmarks and use them as basis to create security policies.
- Consensus-based: All benchmarks form after a consensus among hundreds of security professionals worldwide.
- Widely accepted: CIS benchmarks are widely accepted in various industries in government, academics, and business.
- Tailored: CIS benchmarks cover most major platforms, including Amazon Web Services (AWS). They explain the implications of non-compliance and contain remediation steps to ensure that you stay compliant.
When it comes to keeping on top of cloud compliance, there’s no need to reinvent the wheel. The right cloud security solutions can assess your compliance standing and tell how much work is cut out for you.
When the time comes to actually start getting serious on crafting your policies, don’t hesitate to ask help from cybersecurity experts to get you going. Remember that non-compliance costs so much more than the cost you need to invest on cloud compliance.