20 Cloud Compliance terms you should know in 2022
20 Cloud Compliance terms you should know in 2022
As more and more organisations globally are adopting and moving into Cloud, security and compliance have been the crtical bottlenecks to consider and solve. As they transition mission-critical IT workloads and apps to the cloud, their security posture is possibly a tradeoff between cost and performance of the cloud service.
Also nowadays, one single CSP is not enough and hence Multi-cloud infrastructure is not uncommon for large organisations. Organisations leverage effective, fast, affordable cloud storage, but it also increases their exposed attack surface. This is why Cloud compliance and security is more important than ever as the threat landscape becomes more sophisticated.
Hence with the ever-increasing cloud adoption, Cloud compliance regulations are also constantly changing and updated to meet the growing demands of information security and user privacy.
Compliance for the cloud-based solutions is one of the leading challenges facing organizations that aim to migrate existing workloads to the cloud.
So what is Cloud Compliance??
Cloud Security Compliance is the process and act of complying with the regulatory standards for using the cloud, according to industry guidelines and associated laws. Non-compliance can lead to financial and reputational damage, business interruption and legal challenges.
Another definition says “Cloud compliance refers to the need for organizations and cloud computing providers to comply with applicable regulatory standards of cloud usage established through industry guidelines and local, national, and international laws.”
Now let us look at some of the popular Cloud Compliance terms used globally.
20 Cloud Compliance terms you should know in 2022
1. HIPAA (Health Insurance Portability and Accountability Act): The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It mandates the security of electronic healthcare information, confidentiality and privacy of health-related information, and information access for insurance.
2. HITRUST: as per Wikipedia, “The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with health care, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.”
3. SOX (Sarbanes–Oxley Act): The Sarbanes-Oxley Act of 2002(SOX) is a US federal law administered by the Securities and Exchange Commission (SEC). It is record-retention legislation specifying which records are to be kept and for how long (at least five years). It doesn’t describe how to retain those records, just that they must be retained.
4. NIST (National Institute of Standards and Technology): This foundational policy and procedure standard for private sector organizations appraises their ability to manage and mitigate cyber-attacks. A best practice guide for security pros, this framework assists in understanding and managing risk and should be mandatory reading for those on the first line of defense. NIST Cybersecurity Framework is built around five core functions: identifying, protecting, detecting, responding, and recovering.
5. GLBA ((Gramm-Leach-Bliley Act): The Gramm-Leach-Bliley Act (GLBA) is a United States federal regulation to protect consumer financial privacy. The regulation provides restrictions on the sharing of consumer financial information to third parties, a practice that many financial institutions and organizations engage in. Gramm-Leach-Bliley Act applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services to consumers.
6. PCS-DSS (Payment Card Industry Data Security Standard):The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
7. PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA is the Canadian federal privacy law that regulates how private-sector organizations handle personal information when engaging in “commercial activity,” which PIPEDA defines as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” PIPEDA applies to any businesses that operate in Canada and handle personal information that crosses provincial or national borders.
8. EU GDPR (General Data Protection Regulation): GDPR is a regulatory framework enacted by the European Union in 2016 that governs data protection and privacy for European Union/European Economic Area residents. In practice, GDPR has far-reaching implications beyond Europe, as GDPR applies not only to EU/EEA organizations but to any organization that processes data, regardless of location, on individuals within the EU/EEA.under the GDPR personal data may not be stored longer then needed for the predefined purpose. Therefore, retention periods must be implemented and it must be able to delete data effectively when retention periods has expired: both for data locally stored and in the cloud.
9. FedRAMP (Federal Risk and Authorization Management Program): The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the purchase and use of cloud products and services used by U.S. federal agencies. Only cloud service providers (CSP) with FedRAMP approval may work with government agencies.FedRAMP provides four types of security baseline, defined as Low, Moderate, High, and Tailored (LI-SaaS).
10. UK Government G-Cloud: The G-Cloud Framework enables public bodies to procure commodity-based, pay-as-you-go cloud services on government-approved, short-term contracts through an online catalogue called the Digital Marketplace.The G-Cloud framework requires a supplier declaration that contains standard data elements that enable organizations to evaluate suppliers based on the same criteria. Data elements include information on the support of open standards, onboarding and offboarding, provisioning, data storage, asset protection and resilience, vulnerability management, and incident management, among others.
11. French Government Initiative SecNumCloud : SecNumCloud is an initiative by the French National Cybersecurity Agency (ANSSI), aiming to improve protection for public authorities and Operators of Vital Importance (OVIs). The certification was launched following the adoption of the Military Planning Act (Loi de Programmation Militaire or LPM) in 2013
12. Multi-Tier Cloud Security (MTCS) Singapore: The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584), based on ISO 27001/02 Information Security Management System (ISMS) standards.MTCS is the world’s first cloud security standard that covers multiple tiers of cloud security. This standard promotes clarity around the security service levels of cloud providers while also increasing the level of accountability and transparency of cloud service providers.
13. COBIT: Control Objectives for Information and Related Technologies, more popularly known as COBIT, is a framework that aims to help organizations that are looking to develop, implement, monitor, and improve IT governance and information management. COBIT was established by ISACA, which stands for Information Systems Audit and Control Association. Both ISACA and the IT Governance Institute (ITGI) publish it. The COBIT framework comprises various key components such as frameworks, process descriptions, control objectives, maturity models, and management guidelines. At its core, the COBIT framework serves as a multifunctional support tool that helps IT managers align business risks, technical issues, and control prerequisites within the organization.
14. FIPS (Federal Information Processing Standard): FIPS Publication 140–2 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. The standards are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. Government agencies and financial institutions use these standards to ensure that products conform to specified security requirements.
15. CSA-STAR: The Cloud Security Alliance (CSA) Security Trust And Risk Assurance (STAR) is a comprehensive program for cloud security assurance. Having controls mapped to PCI DSS, ISO 27001, NIST, and ISACA COBIT, CSA STAR stores documentation of the security and privacy controls from major CSPs. By adhering to the STAR framework relevant to your CSP, your organization validates its security posture and can demonstrate proof of secure cloud controls.
16. ISO 27001: ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. It is the best-known compliance standard within the ISO/IEC 27000 family of standards, which covers the overall safety of information assets. By maintaining compliance with ISO 27001 controls, an organization of any size in any business sector can help protect digital information such as intellectual property, financial information, employee details, and more.
17. HECVAT(Higher Education Cloud Vendor Assessment Toolkit): it is a self-assessment that attempts to standardize higher education information security and data protection requirements in the Unites States around cloud service providers. The assessment helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, and allows a consistent, easily-adopted methodology for those who want to use cloud services.
18. CJIS(Criminal Justice Information Services): A joint program of the FBI, State Identification Bureaus, and CJIS Systems Agency, the Criminal Justice Information Services (CJIS) Security Policy outlines the security precautions that must be taken to protect sensitive information like such as fingerprints and criminal backgrounds gathered by local, state, and federal criminal justice and law enforcement agencies. CJIS policies cover best practices in wireless networking, remote access, data encryption, and multiple authentication. The CJIS Security Policy applies to every individual, contractor or private entity with access to criminal justice services and information.
19. IRAP (Information Security Registered Assessor Program): The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
20. ISMAP(Information System Security Management and Assessment Program): ISMAP is a Japanese government security assessment system which aims to ensure an appropriate security level in government cloud service procurement by proactively evaluating and registering cloud services that meet government security requirements. This is expected to help contribute to the smooth introduction of cloud services in Japan’s public sector.