The cloud provides increased flexibility for businesses in today’s digital world, but the transition to cloud services has changed the nature of security. Old rules based on trusted on-premises perimeters are no longer relevant, and security teams must apply new standards to ensure compliance with data regulations and security best practices. This is where cloud security frameworks come in. Simply put, a cloud security framework provides guidelines for security in the cloud. These frameworks offer a roadmap for organizations shifting from a traditional on-premises approach, to a cloud-focused approach, by providing policies, tools, configurations, and rules needed for secure cloud use.
A cloud compliance framework differs from a cloud security framework in that it focuses on compliance with data regulations, as opposed to providing an overall security strategy. A compliance framework will address components such as governance, change control, continuous monitoring, vulnerability management, and reporting, while a security framework will also take into account other elements such as physical controls, authentication mechanisms, and business processes. You can use a combination of these pre-defined frameworks to inform your organization’s cloud security strategy.
First published by the National Institute of Standards and Technology in 2014, this template provides guidelines for mitigating overall cybersecurity risk. It is based on five pillars: identify, protect, detect, respond, recover.
ISO 27001/ 27017
This template is by the International Organization for Standards and is generally seen as the gold standard of cloud cybersecurity. ISO 27001 was originally published in 2005 and therefore did not fully address cloud security. ISO 27017 serves as an addendum to the original standard to address cloud-specific concerns such as shared responsibility with cloud service providers and separation of customers’ virtual environments from one another. This framework helps to define the responsibilities of both cloud service providers and customers. You can earn an ISO 27001 certification to demonstrate compliance with the standard, however, there is no certification specifically for ISO 27017.
CSA Cloud Controls Matrix (CCM)
The CSA Cloud Controls Matrix is a framework that provides controls that address all aspects of cloud computing. The matrix is based on guidelines for cloud security written by the Cloud Security Alliance (CSA). CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
This framework is meant to be used by cloud service providers to ensure their own security, as well as cloud consumers to ensure that they’re selecting a secure vendor.
Payment Card Industry Data Security Standard (PCI DSS)
This framework specifically applies to organizations processing payment information, so this is one that retailers will want to pay attention to. The PCI DSS Framework is broken down into 12 requirements, each of which have their own even more detailed subsections.
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
General Data Protection Regulation (GDPR)
GDPR is of concern for you if you are storing data on any customers from the European Union. Certain states in the U.S., such as California, are implementing their own privacy laws similar to GDPR, so even if you are not currently doing business in the EU, it may be beneficial to pay attention and make sure you’re compliant with the multitude of new state laws popping up. These laws require data holders to be able to easily access and delete data upon request from the consumer, which means it is essential for you to understand where specific data resides. This may be difficult without a comprehensive cloud data governance policy.
The Sarbanes-Oxley Act (SOX) is a 2002 U.S. law meant to protect investors from fraudulent financial disclosure by publicly traded corporations. This is primarily a financial requirement, but it does impact IT because security is responsible for storing the data that is referenced in the law. In particular, security departments should pay attention to section 404, which stipulates the need for management assessment of internal controls. Essentially, if your financial data is in an insecure system, the Public Company Accounting Oversight Board (PCAOB), which is responsible for SOX enforcement, will not view your financial data as reliable because of the potential for tampering. For example, data encryption is recommended as one of the best practices that ensure confidence in financial reporting.
You’ll also see something called well-architected frameworks. These are frameworks for cloud architects based on specific cloud service providers. These are available for AWS, Microsoft Azure, and Google Cloud.
Which Framework to Follow?
The industry you’re in, where your customers are located, and the type of data you have access to will all determine which standards you must comply with, but all retailers will need to be aware of universal consumer standards such as PCI DSS. There is also significant overlap between frameworks, so ensuring compliance with one will help you on your way to achieving others. If you’re concerned about compliance, utilizing a Cloud Security Posture Management tool (CSPM) can help you by automatically checking for alignment with the popular frameworks.
Adhering to these frameworks is essential for avoiding fines as well as protecting your data from a costly breach and loss of consumer confidence. RH-ISAC members have access to a community of over 200 fellow retailers with experience implementing cloud security frameworks. Membership can extend your team’s capabilities and provide valuable advice to simplify cloud compliance.