by Tom Conklin, CISO, Druva
Rapid scalability, industry-leading security, robust data protection and management – the advantages of cloud-first services are well known. Yet, as companies migrate their data to the cloud, working with a Software-as-a-Service (SaaS) vendor and fourth parties like Amazon Web Services or Microsoft Azure, the core regulatory and compliance responsibilities remain separate.
Cloud-first services must go hand in hand with a cloud-first approach to compliance.
Compliance is critical. It’s critical to customers, who require compliance certifications, assessments, and audits to make their purchasing decisions. It’s critical to regulators, who build the framework for doing business and ultimately perform the audits. And, of course, compliance matters to you, to verify that you’re protected against costly regulatory fines and dangerous breaches that will result in a damaged reputation for your organisation.
While the types of security and compliance risks are similar in the cloud, the very nature of the platform presents unique challenges. Security has always been difficult to assess and manage across platforms, but the security controls for cloud applications are spread across people, processes, technology, and even multiple companies.
Compared to the challenges of managing across platforms internally, it can be exponentially more difficult to gain a centralised picture of your security needs and controls in the cloud.
Regulatory compliance requires standardisation and tight controls, the ability to correctly manage customer data – wherever it lives or face the consequences. True legal compliance requires the ability to respond to government inquiries such as a witness summons or discovery requests in lawsuits — no matter where the data originated — or face court penalties or lost lawsuits.
And in the cloud, threats, including data theft, malware, corruption, and ransomware, continue to evolve. Even as cloud providers offer industry-leading security, edge systems on networks outside of your control are vulnerable. Ransomware could take down your entire business for hours or days. Without a proper data protection solution, your best hope is to pay the ransom and cross your fingers the data is restored.
A cloud-first approach to compliance must, at its core, be data-centric, as opposed to application centric. This requires real time, continuous monitoring of data, wherever it resides. Done right, monitoring should anticipate risks before they become problems, whether they originate on an endpoint or in the cloud.
Effective collection, preservation, retention, and index protocols across all data environments is critical to real time monitoring and robust compliance. Data must also be governed within clear role-based controls; real-time audit logging that leaves a clear trail whenever someone accesses or changes data.
And the data itself needs to be fully protected, both in-flight and at-rest. An industry best practice is for SaaS providers to offer unique encryption keys for your organisation – keys only you can access – so your security remains your own, and not subject to vulnerabilities that may exist in their system.
As the efficiency, security and scalability of the cloud continues to drive migration at a large scale – companies must remember that core regulatory and compliance responsibilities still rest in their hands. While the cloud brings new nuances and complexities to these responsibilities, a robust data-first approach can underpin successful compliance programs moving forward and make life a lot easier when those audits – and discovery requests – do come.