Cloud Security Standards: ISO, PCI, GDPR and Your Cloud

What Are Cloud Security Standards?

With the shift towards cloud infrastructure, compliance standards had to evolve. Cloud services and platforms are now required to maintain compliance with different federal, international, local, and state security laws, regulations and standards. 

Compliance standards such as ISO, PCI DSS, HIPAA, and GDPR, have specific requirements for cloud environments. Where mandatory government regulations are concerned, violations may result in legal penalties such as fines.   

In addition to general compliance standards, specialized standards have evolved, which can help organizations achieve a secure cloud environment. These include the Center for Internet Security (CIS) Cloud Security Benchmarks, the Cloud Security Alliance (CSA) Controls Matrix, and the Cloud Architecture Framework.

The Need for Cloud Security Standards

As organizations continue to migrate workloads to the cloud, they must ensure that cloud computing is the correct delivery environment for their applications. The main concern is security and mitigating risk. Businesses are evaluating whether sensitive data is safe in the cloud and how to adopt cloud services while remaining compliant with standards and regulations.

The cloud is, by nature, an attractive target for cyberattacks, because it is exposed to public networks by default and is a well documented environment that attackers are learning to exploit. Cloud configurations are complex, and the large number of moving parts — such as VMs, serverless functions, containers and storage buckets — each represent a threat surface.

Both cloud providers and cloud users are finding it difficult to define what they need to do to ensure a secure environment. There are many research bodies, security best practices, and regulatory requirements, but no clear standard or consensus on what constitutes a truly secure cloud environment. 

This makes it more important than ever for businesses to adopt a framework that will help them address all aspects of cloud security — including identity and access management (IAM), network security, virtualization security, Zero Trust Network Access (ZTNA), endpoint security, data privacy and content security.

Related content: Read our explainer on Cloud Security Threats.

---

Cloud Compliance: How Do Major Compliance Standards Impact the Cloud?

Here are some of the important security regulations around the world, and how they may affect cloud security.

ISO Standards

The International Organization for Standardization (ISO) 27001 created a standard to assist organizations, helping them safeguard their information using best practices. 

The ISO has created standards for many kinds of systems and technologies, such as:

• ISO/IEC 17789 (2014) — this standard outlines cloud computing activities, functional components, and roles, including the way they interact.
• ISO/IEC 19944-1 (2020) — this standard specifies how data is transported via cloud service centers and cloud service users.
• ISO/IEC Technical Specification 23167 (2020) — this standard specifies techniques and technologies employed in cloud computing, such as VMs, containers, and hypervisors.
• ISO/IEC 27018 (2019) — this document describes guidelines founded on ISO/IEC 27002, emphasising the safeguarding of personal identifiable information (PII) within the public cloud.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a series of security conditions for merchants who accept debit or credit cards. PCI DSS relates to organizations that store or process cardholder data.  

If your organization retains and handles sensitive payment card details in the cloud, it is your responsibility to provide your IT team with advanced cloud expertise to create and upkeep your cloud environment safely. If you don’t adhere to the PCI DSS Cloud Computing Guidelines, you may lose your capacity to process payment card transactions.

HIPAA

To safeguard the health-related data of individuals, the Health Insurance Portability and Accountability Act (HIPAA) features sections that directly relate to the security of information. 

HIPAA is a law that relates to organizations that deal with personally identifiable medical information. In terms of information security, the HIPAA Security Rule (HSR) is the most applicable. The HSR provides guidelines for keeping an individual’s electronic health details safe. This includes information that a covered entity uses, creates, maintains, or receives.   

If your organization employs cloud-based services (IaaS, PaaS, SaaS) to oversee and move health information, it is your task to make sure the service provider is HIPAA-compliant. You also have to implement best practices for overseeing cloud configurations.

GDPR

One of the strictest and widely applicable information privacy laws, from around the globe, is the General Data Protection Regulation (GDPR). Its central aim is to safeguard the personal information of businesses and individuals in the European Union (EU). 

One of the 11 chapters of the GDPR regulations, “Chapter 4: Controller and Processor,” features articles that affect security and IT teams dealing with public cloud environments that process and manage user data. For instance: 

• Article 25: Data protection by design and by default — notes that measures should be implemented so that by default, personal information is not made available to an undefined number of natural individuals without the person’s intervention. Microsoft Azure Active Directory permissions and policies and AWS IAM help make sure that the extent of information access is limited.
• Article 30: Records of processing activities — notes that data processors must keep records on information processing. Permitting API monitoring through Azure Monitor or AWS CloudTrail, with logs transferred to S3 storage buckets or Blobs, lets organizations meet this requirement.
• Article 32: Security of process — notes that personal information must be encrypted. Security and IT teams may implement strategies to encrypt data in transit and at rest. 

System and Organization Controls (SOC) Reporting 

The SOC reporting standard is voluntary. Organizations implement SOC certification to show a great commitment to data security, and to make sure they have the correct security strategies in place.

Each of the five SOC 2 trust categories are made up of nine sub-categories. In the Security Criteria, these include the trust principles that are pertinent to compliance and security teams who manage public cloud infrastructure: 

• CC2.0: Communication and information — deals with how organizations manage external and internal communications and data flows.
• CC5.0: Control activities — addresses how an organization’s control pursuits account for technology and risk management.
• CC6.0: Logical and physical access control — addresses how organization controls enable logical access to IT credentials and systems. Covers control of physical entry to facilities, and security standards to prevent and detect unauthorized access. 
• CC7.0: System operations — deals with how an organization controls and observes systems for possible events, anomalies, and configuration changes that could bring with them security risks. They also specify incident response measures to remediate, contain, and announce security incidents.
• CC8.0: Change management — addresses how organizations measure and determine which modifications are required in their data, infrastructure, procedures and software. This allows them to safely make necessary changes while preventing unauthorized changes.

---

Cloud-Specific Security Frameworks and Benchmarks

Here are some frameworks to help organizations maintain a high level of cloud security.

CIS Cloud Security Benchmarks

The CIS Foundations Benchmarks are a component of the cybersecurity standards overseen by the Center for Internet Security (CIS). CIS Benchmarks are vendor-agnostic, consensus-based safe configuration guidelines for the most prevalent technologies and systems. 

There are over 100 freely available CIS Benchmarks dealing with dozens of vendor product groups, including servers, operating systems, mobile devices, cloud proviers, network devices, and desktop software. The CIS Foundations Benchmarks offer help for public cloud environments at the level of the account.

The CIS Foundations Benchmarks deal with: 

• Oracle Cloud Infrastructure
• IBM Cloud
• Amazon Web Services
• Microsoft Azure
• Google Cloud Platform
• Alibaba Cloud

CIS Benchmarks provide security configuration outlines based on best practices and are approved by business, government, academia, and industry bodies. The CIS Foundations Benchmarks are meant for application and system administrators, security experts, and auditors, as well as for platform deployment, help desk, and individual DevOps personnel who wish to create, deploy, secure, or evaluate solutions within the cloud. They are available free of charge and can be downloaded as PDF documents.

CSA Controls Matrix

This group of security controls, implemented by the Cloud Security Alliance (CSA), offers a fundamental outline for security vendors, increasing the robustness of security control environments and streamlining audits. This framework also helps prospective customers assess the risk posture of potential cloud vendors. 

The Cloud Security Alliance has created a certification initiative known as STAR. The CSA STAR certification demonstrates an exceptional cloud security stance, which is respected by customers. This set of standards could be the top asset for customers assessing a vendor’s dedication to security, and is a must for every organization seeking to ensure customer trust. 

The STAR registry outlines the privacy and security controls offered by common cloud computing features, so cloud customers may evaluate their security providers to form solid purchasing choices.   

Related content: Read our explainer on Cloud Security Controls.

Cloud Architecture Frameworks

These frameworks may be viewed as best practice guidelines for cloud architects, regularly dealing with operational security, efficiency, and cost-value analysis. Here are three frameworks that cloud architects should be aware of:

• AWS Well-Architected framework — helps Amazon Web Services architects create applications and workloads in the Amazon cloud. This framework outlines questions for evaluating cloud environments and offers customers a reliable resource for architecture analysis. Five core principles guide Amazon architects — security, operational excellence, performance efficiency, reliability, and cost optimization.
• Google cloud-architected framework — offers a foundation for enhancing and constructing Google Cloud features. This framework helps architects by dealing with four central principles — security and compliance, operational excellence, performance cost optimization, and reliability.
• Azure architecture framework — helps architects develop cloud-based features in Microsoft Azure. This guide helps optimize architecture workloads and is founded on similar principles to the Google Cloud and AWS Frameworks, such as data security, cost optimization, dependability, performance efficiency and operational excellence, which can help organizations retain system functionality and recover from incidents. 

---

Cloud Security with Exabeam

Even if an all-cloud initiative is not in motion, it’s likely your organization will be moving operations into the cloud in the near future. Before taking this step, it’s critical to assess how you will go about securing cloud operations by understanding related security and compliance issues. Fortunately, a modern security information and event management (SIEM), or extended detection and response (XDR) solution will let your analysts address enterprise cloud security with advanced monitoring, behavioral analytics and automation.

A modern approach automatically collects alert data from across multiple clouds, detects deviations in normal user and entity activity using behavioral analytics, and helps analysts quickly respond to attacks on cloud applications and infrastructure. A modern SIEM or XDR can help you combat increasingly targeted and complex attacks and insider threats by augmenting other cloud security solutions like Identity and Access Management (IAM) and Cloud Access Security Broker (CASB), and Secure Access Service Edge (SASE) to better detect, investigate and respond to cloud-based attacks, all while minimizing the detection of false positives.

As cloud-delivered offerings, Exabeam Fusion SIEM and XDR address cloud security in multiple ways to ensure the protection of sensitive data, applications and infrastructure. As the leader in Next-Gen SIEM and XDR Exabeam dramatically improves SOC productivity, allowing teams to detect, investigate and respond to cyberattacks in 51 percent less time. Here are a few of the ways Exabeam supports Cloud Security:

• Collects alert data by direct ingestion from dozens of cloud security tools and popular cloud-based services across multiple enterprise clouds, in addition to hundreds of other products
• Detects new and emerging threats with behavioral analytics
• Provides machine-built timelines to improve analyst productivity and reduce response times by automating incident investigation
• Includes response playbooks using pre-built connectors and hundreds of actions to contain and mitigate threats 
• Offers pre-built compliance packages (Exabeam Fusion SIEM)
• Supports detection and investigation with mappings to MITRE ATT&CK and the availability of the Exabeam Threat Intelligence Service, a daily updated stream of indicators of compromise (IoCs) such as malicious IP addresses and domains
• Augments other cloud security solutions like IAM and CASB to better detect, investigate and respond to cloud-based attacks while minimizing the detection of false positives

See Exabeam in action: Request a demo