Cloud Compliance is Dependent on People and Technology
Regulatory standards abound in the cloud. Healthcare has HIPAA, the federal government has FedRAMP, and financial companies must comply with SOC and PCI DSS. While staying in compliance is a must for virtually every single company that uses cloud environments, many organizations fail to build compliance into their development and posture framework.
Often this failure is a human one, not a technical one. People fail to assign leadership, communicate, and automate. This three-prong process creates a mechanism for vigilance within an organization – alerting companies to potentially devastating data breaches before it is too late. In the industry, this three-prong approach is often described as continuous compliance testing – and it goes beyond software.
Continuous compliance testing is often shortened to just a software system that is regularly scanning the system, and ensuring that the system remains in compliance at a given time (often multiple times throughout the day). Companies, such as OpsCompass, do this type of scan on a regular basis to provide real-time alerts when a firm is out of compliance, and to ensure that an audit trail exists to illustrate consistent compliance with government and industry standards.
The audit trail and corresponding reports provide companies with an awareness of their trouble spots, including individuals or departments that may need to be retrained on the importance of continuous compliance. Understanding why these groups fall out of compliance is extremely important.
But, continuous scanning is not enough. Education and leadership are also needed to implement true continuous compliance. According to a 2017 article by healthcare insurance company Beazly[1], more than 50% of HIPAA violations in the cloud occurred because of human efforts, either unintentional or intentional. These failures may have been prevented by a software system that was consistently monitoring the cloud environment. In fact, the HIPAA Journal recommends this exact step[2] as a mechanism for avoiding breaches, stating:
The easiest way to eliminate the possibility of human error is to automate as many compliance processes as possible. If the staff is only required to store data on encrypted devices, a security system should be implemented that makes it impossible for data to be transferred to an unsecured hard drive. Users can be automatically logged out of databases and computer systems after being idle for a set [period of time] and other automated procedures introduced to keep data secure. Moving data to a public cloud environment – such as AWS, Microsoft Azure, or Google Cloud – does provide this type of protection. Moreover, many smaller entities may benefit from the increased security controls of the public cloud over those of smaller vendors. But, even with this type of environment, human error can persist. Thus, training and automation remain key elements of an effective continuous compliance effort.
In its guide to PCI Security Standards[3], the PCI Security Standards Council recommends ways for companies to maintain continuous compliance. One key way for companies to ensure compliance is to assign ownership to a person (or small group) for coordinating security activities. Many organizations have done this by creating the role of Chief Information Security Officer (CISO). However, this step is often not enough, so the guide suggests that an annual audit may not embed enough accountability into the process. Thus, one crucial task that the CISO, or small team, should implement is continuous testing. As stated in the guide:
Maintaining a state of continuous compliance requires focused effort and coordination. Organizations accustomed to a point-in-time approach to PCI DSS compliance that focuses primarily on annual validation may find it difficult to foster security across their people, processes, and technology as needed to support sustained compliance…Organizations that focus solely on compliance can be compared to people who go on a crash diet. It may work temporarily and make people appear healthier, but it is not sustainable over the long term and does not reflect an overall commitment to a healthier lifestyle. To improve one’s overall long-term health, healthier activities—such as ongoing exercise and nutrition—need to be incorporated into one’s daily life. The same concepts hold true for compliance-focused organizations. A Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) may demonstrate that the organization is compliant at a given point in time, but does not necessarily reflect an overall commitment to security.[4]
To summarize, creating a strong compliance environment across a variety of industries is increasingly important. Many breaches occur due to employee action (or inaction), not just from outside invasions. So, organizations following best practices are creating a CISO role or a small team, implementing strong communication and training standards, and automating the process using software tools, such as OpsCompass.
If you’re looking for assistance with your compliance challenges, OpsCompass stands ready to help through consultation and with automated processes built into our SaaS tool.
[1] Beazly Breach Insights – Healthcare Special Edition
[2] How to Reduce Human Error and Prevent HIPAA Breaches
[3] Information Supplement: Best Practices for Maintaining PCI DSS Compliance
[4] Page 33 of PCI Security Standards