Page 83 - Cyber Defense eMagazine August 2023
P. 83
choose to mitigate risks either using technical controls such as using built-in cloud native features or
contractual protections such as ISO or SOC 2/3 certifications that the cloud provider commits to undergo
periodically. The results of the risk assessment should be documented thoroughly and should form the
basis of your security readiness in the cloud.
3. Assess Your Compliance Obligations
When you think of your compliance requirements in the cloud, they are dependent on a variety of critical
factors such as:
• The laws and regulations that are tied to your organization's and your customers’ physical
locations (Example: GDPR in the European Union)
• Your regulatory requirements of the industry that you operate in (Example: HIPAA for healthcare
and life sciences)
• The type of data you store and process in the cloud (Example PII data)
• The cloud services you use (Example: are the managed cloud offerings that you intend to use for
your workloads covered under HIPAA?)
The responses to the above questions dictate which security controls you need to implement for your
workloads in the public cloud. A typical compliance journey goes through three stages: assessment, gap
remediation, and regular monitoring to check adherence to compliance standards. A comprehensive
compliance assessment involves a detailed review of all your mandatory regulatory obligations and how
your organization is currently putting it to practice. Once you have a clear understanding of your current
state, you can begin to identify any gaps between your requirements and your current practices. The next
step of remediating those gaps involves implementing the latest security controls and updating your
existing policies that are outdated. The final stage of the compliance journey is continual monitoring. This
step is important to ensure your organization is up-to-date with changing regulations. To adhere to
compliance even amidst changing regulations, you should consider automating your cloud infrastructure
security policies by incorporating them into your infrastructure as code (IaC) deployments. You could also
use a cloud compliance management platform to help you track your compliance posture and identify
any gaps and last but not the least, stay up-to-date on the latest regulatory changes.
4. Understand Your Privacy Requirements and Build a Robust Plan to Adhere To Those
Privacy requirements of your organization are dictated by how you acquire, process and store data - both
of your internal users and that of your external clients. As the organization grows, building a robust set of
security controls to ensure privacy becomes increasingly complex and it might seem like a daunting task
to keep up with the changes. However, a methodical and well-thought framework will help you to adhere
to the privacy requirements of your organization. Below are several approaches to think about when
considering privacy requirements:
Cyber Defense eMagazine – August 2023 Edition 83
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.