Page 83 - Cyber Defense eMagazine August 2023
P. 83

choose  to  mitigate  risks  either using  technical  controls  such  as using  built-in  cloud  native  features  or
            contractual protections such as ISO or SOC 2/3 certifications that the cloud provider commits to undergo
            periodically.  The results of the risk assessment  should be documented  thoroughly and should form the
            basis of your security readiness in the cloud.




               3.  Assess Your Compliance Obligations

            When you think of your compliance requirements in the cloud, they are dependent on a variety of critical
            factors such as:

               •  The  laws  and  regulations  that  are  tied  to  your  organization's  and  your  customers’  physical
                   locations (Example: GDPR in the European Union)
               •  Your regulatory requirements  of the industry that you operate in (Example: HIPAA for healthcare
                   and life sciences)
               •  The type of data you store and process in the cloud (Example PII data)
               •  The cloud services you use (Example: are the managed cloud offerings that you intend to use for
                   your workloads covered under HIPAA?)



            The responses  to the above  questions  dictate  which security  controls you  need to implement  for your
            workloads in the public cloud. A typical compliance journey goes through three stages: assessment, gap
            remediation,  and  regular  monitoring  to  check  adherence  to  compliance  standards.  A  comprehensive
            compliance assessment involves a detailed review of all your mandatory regulatory obligations and how
            your organization is currently putting it to practice. Once you have a clear understanding of your current
            state, you can begin to identify any gaps between your requirements and your current practices. The next
            step  of  remediating  those  gaps  involves  implementing  the  latest  security  controls  and  updating  your
            existing policies that are outdated. The final stage of the compliance journey is continual monitoring. This
            step  is  important  to  ensure  your  organization  is  up-to-date  with  changing  regulations.  To  adhere  to
            compliance even amidst changing regulations, you should consider automating your cloud infrastructure
            security policies by incorporating them into your infrastructure as code (IaC) deployments. You could also
            use a cloud compliance  management  platform  to help you  track your compliance  posture and  identify
            any gaps and last but not the least, stay up-to-date on the latest regulatory changes.



               4.  Understand Your Privacy Requirements and Build a Robust Plan to Adhere To Those

            Privacy requirements of your organization are dictated by how you acquire, process and store data - both
            of your internal users and that of your external clients. As the organization grows, building a robust set of
            security controls to ensure privacy becomes increasingly complex and it might seem like a daunting task
            to keep up with the changes. However, a methodical and well-thought framework will help you to adhere
            to  the privacy  requirements  of  your  organization.  Below  are  several  approaches  to  think  about  when
            considering privacy requirements:






            Cyber Defense eMagazine – August 2023 Edition                                                                                                                                                                                                               83
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   78   79   80   81   82   83   84   85   86   87   88