Locking down your cloud, part 3: Taking compliance beyond the basics

In Parts I and II  of this series, we talked about performance and security as vital components of a successful cloud infrastructure – as well as best practices to build the most secure, high-performing environment possible. This probably wasn’t a surprise to anyone, since the need for each is obvious. Without a secure cloud, businesses can’t guarantee the safety of their data; without performance, neither businesses nor their customers will get the speed, scalability, access and end-user experience they want.

Yet when it comes to compliance, many businesses treat it as nothing more than a checkbox they need to complete. This can be especially true of healthcare, finance and ecommerce businesses; as long as they meet the minimum Payment Card Industry (PCI) or HIPAA standards, they reason they’re safe.

While this thinking is understandable, most of these IT decision makers fail to realize that compliance standards don’t reflect the unique circumstances and requirements that vary from company to company and industry to industry. Blindly following the recommended standards often means enacting the bare minimum of security needed to achieve compliance – and that nets out to minimum protection.

What we need to keep in mind is that compliance is the demonstration that your security program meets the requirements set forth in the various regulations you must be compliant with.  While compliance is important and certainly should be an input to, it should not be used as the primary driver behind the design of your security program.  In fact, if you base your security program on a thorough risk assessment of your environment and implement industry-standard best-practice controls from frameworks such as NIST 800-53 and ISO 27001 to mitigate risks, it is very likely that you will exceed most regulatory compliance requirements.

Demonstrating compliance can be a difficult and especially time consuming process even with a solid security program in place.   This process is made even more difficult if you are relying on vendors and third parties to provide key services and you need to take special care in these situations when assessing your cloud provider’s compliance standards and processes. Working with a vendor that provides clear, usable information regarding their compliance posture can relieve you of the compliance validation burden associated with these services enables you to avoid a compliance disaster and the ramifications that come from it: customer loss, brand reputation issues and high fines from governing bodies that institute compliance standards such as PCI and HIPAA.

For instance, a survey last year found that many healthcare providers skip some critical best practices when evaluating third parties’ security. Among the 250 organizations polled by HIMSS:

• * Only 56 percent require vendors that hold sensitive medical data to conduct periodic risk assessments
• * Just 56 percent require proof of employee background checks from third parties, and
• * Only 50 percent require third parties to verify that their employees have received proper security training.

To keep information safe, these and other security measures should be part of the criteria to evaluate potential vendors.

Also, when contracting with third parties, it’s critical closely analyze vendor contracts to ensure those organizations will be held accountable to protect patients’ medical information and other sensitive data.

Stay on Top of Your Systems

Does all of this sound like another expenditure and responsibility you’d rather not have? Think of it this way; thorough compliance will ultimately save you money when compared to the costs, headaches and brand damage of a significant breach. To make sure you’re truly compliant, be diligent about the following systemic checks:

• * Logs should be reviewed daily. They provide a quick and simple way to spot possible issues and abnormalities and resolve them before they get serious. You should also implement log correlation, which can assist you in finding anomalies that may go undetected in standard log reviews.
• * Vulnerability scanning should be done monthly to ensure that your vulnerability management program is working optimally. This step alone can diminish the likelihood of detrimental, costly attacks.
• * Patching is mandatory when it comes to the cloud. Why? Because it can plug the most common sources of leaks. Do it monthly, be thorough about it and remember to patch ALL of your applications, plug-ins, etc. — not just OS level patches.
• * Once a quarter, review your critical assets access lists. This task is easy to overlook, but it will ensure that authorized users have access that is appropriate to their function.

Open a Dialogue with Your Providers

If you partner with a cloud provider, it’s tempting to leave the work to them. But if you don’t take an active role, how will you know if their capabilities fully meet your needs? Start a conversation with your service provider about their controls and security program. Answers to the following questions should enlighten you and help you sleep better at night – or let you know what needs to be tended:

• * Can your cloud service provider show you internal documentation that validates their review process?
• * Can they provide regular documentation that proves they are meeting your compliance needs as well as monitoring them?
• * Can they offer detailed third-party attestations of their controls and security program that you are purchasing from them?
• * What is their response plan in the event of a security breach?
• * How often do they conduct internal and external audits?

Don’t be afraid to ask your provider any of these questions. A good cloud provider will be completely transparent and give you clear answers to any and all questions posed.

Don’t be afraid of change OR Plan for change or Plan for things to be different

Compliance standards are dynamic, complex, and variable by industry and company characteristics. Whether you handle regulated healthcare data, payment card information or something else, you must be proactive and methodical in checking the documentation of HIPAA, PCI DSS, and so on. These regulatory documents are prone to changing their recommendations on a quarterly or even monthly basis, based on new industry directions and knowledge. Remember that cloud technologies themselves evolve in a blink of the eye; whether it’s a new development in mobile or networking, compliance organizations will always adjust their regulations to take advantage of the best practices.

At the end of the day, there’s no way around it – attaining and maintaining compliance certifications can involve some significant work. This isn’t an area where you can take shortcuts or procrastinate; it’s not uncommon for companies to dedicate staff to running the right checks and monitoring your vendors and infrastructure. In the end, you’ll be glad you did. By going beyond compliance basics, you’ll enjoy hassle-free audits, protect your sensitive data and know your business will thrive due to diminished compliance disasters.

Kurt Hagerman, Director of Information Security

As the director of information security at FireHost, Kurt Hagerman oversees all compliance-related and security initiatives. Hagerman is responsible for helping FireHost with the attainment of ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program where levels of compliance are by-products.