Cloud Compliance and Governance

Building a secure cloud environment is one thing. Enforcing cloud compliance and governance is another.

Achieving cloud compliance often requires going further than just implementing basic security safeguards. You must also demonstrate that your cloud complies with whichever internal or external governance rules apply to your business.

Keep reading for an overview of what cloud compliance means, how it works, and how to achieve compliance in the “Big Three” clouds: AWS, Azure, and GCP.

What Is Cloud Compliance?

Cloud compliance consists of the procedures and practices that ensure that a cloud environment complies with governance rules. In other words, when you build a compliant cloud environment, your environment conforms to one or more specific sets of security and privacy standards.

Those standards could be established by a government agency, as is the case with compliance frameworks like the European Union General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA). They could also be an industry standard, like the Payment Card Industry Data Security Standard (PCI DSS). Or, they could be internal governance policies that a company establishes for itself.

The frameworks that affect a given business are determined by factors such as the jurisdiction in which your business operates, the industry or sector of the business, and the number of users the business has. For example, the GDPR applies to most businesses that process data owned by or associated with residents of the E.U., regardless of which industry the company operates in or whether the company has a physical presence in the European Union. In contrast, the PCI DSS standard affects only companies that process payments.

Each compliance framework contains a unique set of rules. In general, however, the requirements include mandates such as ensuring “reasonable security” for workloads, encrypting sensitive data, and demonstrating that your organization performs regular audits to identify and address potential security issues.

Cloud Compliance and the Shared Responsibility Model

Compliance and governance are a bit more complicated in the cloud than they are on-prem because public cloud providers operate according to a shared responsibility model. Under this model, cloud providers are responsible for managing some aspects of security, such as securing the physical servers that host VM instances and storage buckets. They also usually perform regular audits of their systems, as required by a variety of government and industry compliance standards.

However, the burden of securing most facets of resources that end users deploy in the cloud lies with end users. Cloud providers expect you to make sure that the data you upload to a storage bucket is protected by access controls as mandated by your compliance frameworks, for instance, and that you secure the OS running on a cloud VM instance.

What this means for cloud compliance is that, while cloud providers address some of the requirements of whichever compliance frameworks affect your business, they don’t address all of them. Implementing continuous compliance is part of a CNAPP.

To learn more about exactly what your cloud host does and doesn’t do with regard to compliance, refer to the cloud’s documentation. AWS details its compliance policies here, for instance, and the Azure compliance details are here.

How Cloud Compliance Works

Although the specifics of cloud compliance will depend on the types of workloads you are hosting in the cloud and the compliance rules that your business needs to meet, most cloud compliance workflows can be broken down into a few basic steps.

Assess Compliance Needs

The first step is determining what the compliance requirements actually are with regard to your cloud workloads. Most compliance frameworks describe compliance rules in relatively generic terms. The GDPR requires “reasonable security” to protect sensitive data, for example, but it does not specify the exact tools or settings that businesses need to implement to achieve reasonable security.

That means it’s up to the business to assess compliance requirements and determine how to translate them into specific tools and processes.

Define Compliance Rules

After determining how your business will implement the tools and practices necessary to meet cloud compliance requirements, you should define specific rules that will help you track the enforcement of those requirements.

For example, a cloud compliance rule could state that user data must never be stored in your cloud environment in unencrypted form. Or, you could establish a rule stating that SSH access will be disabled by default for cloud VMs.

Perform Compliance Audits

After defining compliance rules, you should perform audits to check whether the rules are being followed.

You can do this manually, of course, by evaluating your cloud workload configurations and determining whether they align with the rules you have established.

But it’s much more efficient to automate compliance by using auditing tools that automatically scan cloud configuration files, logs, and other data sources to detect compliance violations based on the rules you have established.

Compliance and Governance, Cloud-By-Cloud

Although the process for meeting compliance and governance requirements is more or less the same in any type of cloud environment, it’s helpful to know which tools each of the major cloud providers offers to help achieve compliance requirements.

AWS Compliance

In AWS, the primary tool for helping to enforce compliance is Audit Manager. Audit Manager is an optional service that AWS customers can use to collect information from across their environments and automatically assess whether workload configurations align with specific compliance requirements.

Audit Manager offers preconfigured rules to check compliance with popular frameworks, like GDPR and PCI DSS, but you’ll need to create custom rules in order to enforce less common frameworks or an internal compliance program.

More generally, you can use AWS CloudTrail logs to monitor your environment. But because CloudTrail itself isn’t designed as a compliance solution, or even an advanced security monitoring tool, you’ll typically want to ingest CloudTrail logs into an external auditing tool to use the data to greatest effect.

Azure Compliance

Unlike AWS, Azure doesn’t have a centralized auditing tool, but it does offer a sophisticated logging architecture. By properly configuring and analyzing Azure logs, you can track compliance across your Azure environment.

Here again, you’ll most likely want to use an external auditing tool to get the most value out of Azure logs for compliance purposes. Azure’s native monitoring services, like Azure Monitor, are designed to help manage application performance and availability, not enforce compliance or automate auditing.

Google Cloud Compliance

Google Cloud has an audit logging service that businesses can use to generate audit trails. The audit logs record information about which actions were performed within cloud environments, when they took place, and who issued them.

The major limitation of audit logging in Google Cloud is that it doesn’t audit your workload configurations. It just allows you to track activity. Thus, you’ll need to use external tools if you want to ensure that IAM rules, network configurations, and other parts of your environment are set up in a way that aligns with your compliance requirements.

Cloud compliance and governance can vary widely from one business to another, and from one cloud to another, depending on the compliance frameworks at play and the types of workloads the business runs. However, all cloud compliance strategies should be oriented around automatically and continuously scanning both configuration files and logs to detect violations of whichever compliance policies a business is required to meet. By finding issues quickly, businesses can correct them before they lead to compliance fines and/or security breaches.