Cloud Data Stores and Compliance: What’s to Know
There’s an expectation that a CISO, or at least frontline security managers, know where the important data resides, the things you really need to protect. In reality, such information is very often anecdotal and compiled from meeting after meeting. While there might be a location list, it’s a best effort endeavour with an unknown margin of completeness. Having sat in meetings with lawyers asking about privacy compliance, and having had surprises because IT-based business platforms weren't telling IT Ops about databases they stood up in the cloud last year, I know first-hand that gaps in your information asset inventory can have real and immediate impact when it comes to security and compliance.
As a security or compliance professional, when people ask what keeps you up at night, is it what you know, or what you don’t know? With the amount of your organisation’s data stored in public cloud infrastructure growing exponentially, two potentially looming unknowns are the security and the compliance impacts of what’s sitting there. Did someone in biz platforms just spin up an RDS PostgreSQL database with customer contact data siphoned from Salesforce and is dumping reports into an S3 bucket?
The word “compliance” is used interchangeably with complying against a policy or baseline, e.g., AWS security best practices which the CIS benchmarks are built upon; and it’s used to describe the reason you measure against CIS benchmarks, which is passing larger organisational level objectives like audits or certifications, e.g., SOC 2, ISO 27000.
Secure practices enable compliance, and you achieve and demonstrate compliance by passing audits or assessments, i.e., the CIS AWS benchmarks can help you pass a SOC 2 audit or become ISO 27000 certified. The CIS benchmarks are intended to be placed in a tool that assess for those items and measure you against them, but CIS benchmarks are not something that you certify compliance with themselves.
Let me sidebar for a moment - and apologies if I come across as pedantic - but the SSAE 18 SOC 2 from ISACA is the standard on how to perform an audit, and not something you certify against, i.e., there is no such thing as SOC 2 certification. What you hopefully actually have and are looking for from service providers is an unqualified attestation report. It’s a common mislabelling that pops up in contract language, websites, and other places where people are asking for or trying to convey trust. The actual thing auditors measure you against are the “points of focus” from the COSO framework listed in the Trust Service Criteria (formerly Trust Principles), but you never hear “Trust Services Criteria” or “COSO certified”. Thank you AICPA! The takeaway is that the language someone uses, can tell you whether they actually understand the subject and purpose.
With that said, organizations also do audits for internal reasons. It could be that they have a mature security or information assurance program and want to measure how well they’re doing, or that their audit committee has heard the ‘cloud’ is dangerous and they need to focus on it this year. It could also be that they’re running regulated workloads in a public cloud environment.
Open Raven’s cloud data security solution can help an organization measure itself not only against the CIS AWS benchmarks, but also cover what an audit or assessment may ask about securing its cloud data.
A key compliance pain point that Open Raven addresses is the need to maintain an accurate and current inventory of your data assets, which if done manually is nearly impossible in cloud environments. You find this in every set of IT general controls (ITGC) in all security standards, including those used for compliance, e.g., PCI DSS and audits, and Trust Services Criteria for SOC 2. As well, privacy compliance obligations, especially in GDPR, require you to know what you have, and very importantly, where physically.
Another intrinsic benefit that Open Raven brings is a reduction of audit fatigue. Organizations can sometimes come to a screeching halt collecting the mountains of evidence and reports necessary to pass certifications or audits. Usually 12 months of records are required for audits, and scrambling to provide those is often the last thing the InfoSec, CloudOps, IT, etc. want to spend their time doing.
Open Raven can quickly provide reports on important data assets and the state of them in the environment, answering things like whether they’re encrypted and whether they’re backed up. Both common key controls you will find as required in security standards.
Reduce the Effort to Achieve Cloud Compliance
Open Raven reduces the amount of effort it takes to do ongoing monitoring of compliance with industry accepted good security practices and standards including CIS benchmarks for AWS, which in turn directly impacts your compliance with PCI, HIPAA/HITRUST, GDPR, CCPA and other regulatory requirements.
Open Raven helps to maintain security controls necessary to pass certifications and audits, whether for internal parties, e.g., IA, InfoSec, Legal, Compliance or for third-party auditors and assessors in support of things like SOC 2, SOX, and ISO 27001.
By being able to rapidly evaluate a cloud environment and report security issues, and by focusing on where data is and how it’s secured, Open Raven provides information critical to understanding the risk posture of your cloud environment.
Auditors are becoming more familiar with public cloud environments and common threats to data associated with them, so they’re incorporating them into their audit work programmes. These are the spreadsheets handed out to associates to go fill out, whether they understand the intent of the requirement or not. This means that they are increasingly asking questions about cloud environments when performing their audits or assessments. By measuring and reporting those Open Raven can provide out-of-the-box ways for customers to address those common cloud concerns, i.e., open S3 buckets, encryption state, backups.
Open Raven provides an accurate and continuous inventory of where data is stored which is critical for scoping security resources, and helps comply with security standards.
Open Raven also reduces audit fatigue and resource cost by providing reports that can show compliance to assessors, auditors, and internal stakeholders.
The future of data storage is in the public cloud. Ensuring your cloud compliant is often mandatory hygiene. But you ultimately want to be secure. And that means, discovering your data in the public cloud and continuously validating the controls that prevent data leaks and breaches. Let Open Raven help you as we have with others to secure their cloud data and achieve compliance.