Demystifying Public Cloud Compliance

The word compliance strikes fear into many readers. Are we in compliance? Can we prove it? Are we trying to be compliant with the right regulations? What happens if we fall out of compliance? Can we afford to invest in compliance? Can we afford not to?

Public cloud compliance doesn’t have to be a scary thing. It’s really about safety in numbers. Compliance is just a set of best practices developed by the many organisations and experts over the years. They made the mistakes so you don’t have to.

Sure, many regulations pre-date cloud computing, but they still apply. Adopting the cloud doesn’t have to make compliance harder and, in many ways, it makes compliance easier. Your cloud provider, be it Amazon Web Services, Microsoft Azure, or Google Cloud, is responsible for the compliance of their part of the equation. That means they address physical security, data centre access, networking infrastructure, and at least for managed instances, operating systems and patches.

As a cloud user, you are responsible for less, but still a significant amount. This is called the Shared Responsibility Model, where the provider is responsible for security OF the cloud and the customer is responsible for security IN the cloud.  

The good news is that, when it comes to compliance, the cloud vendors are all rock solid.

The public cloud shared responsibility model.

There are dozens of security standards and regulations that address compliance, and some overlap but others are focused on unique requirements. For example, PCI-DSS (Payment Card Industry Data Security Standard) is focused on credit card and financial data.

So how do you choose the compliance standard that you should follow in the public cloud? Some are obvious. For example, you’re an e-commerce retailer, you need to follow PCI-DSS.

The point is, you don’t want to be surprised, especially if there is a security breach, that your public cloud environment is not in compliance with the right standard or standards. You also want to be able to prove that you were indeed compliant with a standard, on a specific date, should you ever get audited. This could mitigate against serious fines.

Fortunately, there is a cloud compliance tool, called CloudCheckr Total Compliance, that not only scores your cloud infrastructure according to the big compliance standards out there, but also several that are specific to countries, states, and industries.

You can pick your favourites and see a plot over time, showing your progress towards 100% compliance with the standards that matter to you. Any misconfigurations are highlighted, along with remediation steps. A good number of CloudCheckr’s 600+ Best Practice Checks support Self-Healing Automation for one-click or even zero-click correction.