As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used to govern these resources.
According to 451 Research, 90 percent of companies are using some form of the cloud.
Yet, with evolving cybersecurity threats and a changing legal landscape surrounding the confidentiality, availability, and integrity of sensitive data, many businesses are left wondering whether the cloud is the best option.
In this article we will provide a definition of cloud computing and cloud computing audits, the objectives of cloud compliance, and audit steps to expect.
Why Companies are Choosing Cloud Computing
According to the National Institute of Standard and Technology (NIST), “cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
One of the many benefits of cloud technology is its security. In fact, Gartner predicts that through 2025, 99 percent of security failures in the cloud will be caused by the customers. Thankfully, cloud security controls can help reduce the risk of human error.
Public and Private Cloud Security
Currently the average business runs 38 percent of workloads in public and 41 percent in private cloud, reports RightSource’s 2019 State of the Cloud Report.
Cloud computing has enabled companies to more effectively deliver services, while reducing or eliminating costly hardware, software, and infrastructure, thus allowing businesses to concentrate on their core services.
The scalability and flexibility of cloud computing has led to multiple types of cloud deployment models. Public clouds are accessible over the Internet and may be structured as free or pay-for-use services. Public clouds, like the name suggests, are defined as multi-tenant environments where a virtualized server is partitioned and shared amongst a number of tenants.
Conversely, private clouds, which utilize dedicated IT resources, have increasingly become favored for their ability to address multiple security and compliance-related concerns.
Private clouds, which may be managed by a customer’s internal IT staff and housed within their own facility or built and deployed by a third-party provider, such as LightEdge, are designed for a single company’s needs and use. No matter which type of cloud computing you select, here are common security concerns organizations have voiced:
- How secure is communication over the network?
- Is any portion of the network untrusted, i.e. beyond your administrative control?
- Is the path to your cloud host via a public or a private connection?
- What other parties are sharing your IT environment?
- How scalable is the service provided by your cloud?
- Is your service fast, flexible, and capable of responding to sudden changes in data and applications?
- Are you renting space in the cloud from the owners of the infrastructure or from a tenant reselling portions of a cloud?
- What is the chance your information will be hyper jacked, where a hacker first breaches one virtual environment on a physical server, and then uses that access to attack another virtual environment on the same server?
Ensure that you cloud provider is able to answer each of the following questions.
While security and compliance tend to go hand in hand, they are separate categories that each provide different challenges for cloud users. Maintaining compliance with regulations like HIPAA, HITECH, and many others is both expensive and time consuming.
Private cloud providers, such as LightEdge, builds security and redundancy into every detail of our data center facilities and service offerings. LightEdge is one of an elite few to be both ISO 20000-1 and ISO 27001 certified. Our facilities and services have been audited against SOC, HIPAA, HITRUST, and PCI DSS by Schellman.
These certifications and compliance standards only scratch the surface of LightEdge’s compliance and security know-how. If you’re seeking guidance around NIST, FedRAMP, CJIS, or NERC-CIP (to name a few others), we would be happy to provide best practice assistance. In fact, our Chief Security Officer, Michael Hannan, also offers LightEdge clients free security & compliance consulting services to assist with audit readiness and organizational safeguards.
When it comes to the public cloud, compliance is still a major responsibility for the customer. It is important to understand who is responsible for what when it comes to compliance before signing an agreement with a cloud provider.
A cloud service provider that has both broad compliance certifications and also industry specific badges that are specialized just for you is best.
Another often overlooked compliance-related risk is the audit process. It is highly recommended that regulated organizations find out how familiar the cloud provider is with the audit process and how accommodating they will be if the healthcare organization is audited.
According to ICS’s 2019 Cloud Security Report, one in four organizations (28 percent), confirmed they experienced a cloud security incident in the past 12 months.
Most organizations are at least moderately confident in their cloud security posture (84 percent) – perhaps reflecting a level of overconfidence not supported by the security incidents and challenges presented by the same report.
Cloud Computing Audits
In general, an audit is when a third-party, independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Physical security
- Security incidents
- Network security
- System development or change management
- Risk management
- Data management
- Vulnerability and remediation management
- Tone at the top or leaderships commitment to transparency and ethical behavior
Security controls are the management, operational, technical safeguards, or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information.
For security auditing, a cloud auditor can make an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to the security requirements for the system.
The security auditing should also include the verification of the compliance with regulation and security policy.
Create an Internal Auditing Process
Get in the practice of performing regular risk assessments to evaluate the likelihood of a breach and apply corrective measures when necessary. Test your policies and procedures. Require your business associates to follow a similar protocol.
Documentation and employee trainings are a great start, but it is important to put this knowledge to the test. Do a walk-through and look for things like private customer information that are visible on desks or computer screens. Make sure passwords are a good length and require employees to update them at least every 90 days. Electronic data is a common source of data breaches, but employees and physical paperwork can be too. Be sure to diligently audit both.
Document the results of your internal audits and changes that need to be made to your policies and procedures. Develop and execute a plan to review and update your policies and procedures based on your internal audit results.
LightEdge Can Guide You Through Cloud Audits and Compliance
Compliance not only protects businesses from excessive regulatory fines, it also protects a company’s reputation and minimizes the risk of harm to your customers. Cloud computing offers technical dexterity and gives organizations a competitive edge in a rapidly advancing world.
However, not all cloud computing service providers offer the same level of support, data security, and compliance expertise. Use our tips to understand how compliance certifications governs cloud service providers and business associates to find a proven compliance-friendly provider that meets your usability requirements and compliance needs.
LightEdge has secure and compliant data center locations at our Des Moines, Kansas City, Omaha, Austin, and Raleigh data center facilities. With LightEdge, you can achieve auditable compliance. With a proven background working with regulated industries, our data center and hosting solutions provide you with confidence you need to meet compliance requirements.
LightEdge offers a free risk assessment from our Chief Security and Compliance Officer as a free resource to all of our clients. Compliance and security are top priorities to guarantee that your data is protected. Get a fresh perspective on how well you meet best practices in security and gain visibility into vulnerabilities that need remediation. LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- PCI DSS
If you are interested in getting a risk-free assessment from our healthcare compliance experts, a tour of any of our compliant data centers, or to learn more about LightEdge’s compliance offerings, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
To learn more about security and compliance in the cloud, download our free guide to assessing your move to the cloud. In this guide, we’ll help you assess your move to the cloud, provide some key definitions, and offer suggestions that will help you know where to start, and what it makes sense to focus on right out of the gate.
- Top Cloud Security Controls You Should Be Using
- How To Manage Risk In The Cloud
- Challenges Healthcare Faces In The Public Cloud
- Cloud Migration Strategy: 3 Tactics and Other Best Practices to Get you Started
- What Is Cloud Repatriation And When Does It Make Sense?
- Why Virtual Private Cloud will make you Reconsider your Cloud Infrastructure
- Moving to the Cloud from Traditional IT: Why and How
- What Every Business Needs to Know about Dedicated Private Cloud
- HIPAA in the Cloud Infographic
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud