Maintaining compliance in the cloud should be easy.
Every industry that manages sensitive data has some form of requirement around how that data is held. SOC 1, SOC 2, HIPAA, or PCI — a regulatory agency, governing body, or compliance board writes the rules. Information Security practitioners and auditors check for compliance to make sure people’s data is protected.
This is a good thing. It’s the reason people tell doctors sensitive information and share credit card numbers across websites. Any business in a regulated industry needs to see these compliance mandates succeed. If a peer loses user data, people will think twice next time they’re asked to provide personal, important data.
This is why companies are willing to go to such extraordinary lengths to comply with these and many other regulations and compliance mandates. In the data center days, a Qualified Security Assessor (QSA) could spend days walking between racks of servers and running through hundreds of controls and evidentiary tasks to ensure that PCI standards are being followed. It was worth it to earn the consumer confidence and it was needed to keep doing business. It did keep data safer.
Then, workloads started to move to the cloud, and data followed. All of a sudden, a QSA can’t just visit the physical servers and see that locks are on the cabinets. The data isn’t stored anywhere, it’s just … out there. Traditional compliance requirements started to get obfuscated.
Cloud compliance standards were written for on-site servers
Many cloud compliance rules and regulations were drafted when data lived primarily in on-premises servers. It’s a familiar story. Technology races ahead, and government or industry regulators fail to keep up.
It’s hard to explain to someone who just needs to check the boxes that the data doesn’t “live” anywhere. But it’s the reality of sophisticated systems today, and environments are only going to become more complex in the future. In a serverless cloud, where do you go to make sure the proper defenses are set up? We know that a serverless cloud can be an exceptionally safe environment to store data, but because it’s not storing anything, how do you prove it?
In our PCI example, some QSAs get this, even QSAs who are excited to see their checklist rapidly dwindle to only a few remaining relevant boxes. And then some QSAs keep demanding to see the proof of something that doesn’t exist. If it cannot be checked, it cannot comply.
It’s kind of like asking passengers to wear a helmet on an airplane. Yes, it’s a great rule. Helmets will protect your head in a bike crash. It just doesn’t apply in this scenario.
Taking data security off servers and into the nebulous world of cloud
When confidential information is sitting somewhere in an on-prem data center, you want to make sure absolutely everything is being done to keep it secure. We run data centers and our people think all day about how to make them compliant across a wide range of regulations.
The same is true for the cloud. Security is the primary concern. But it’s not as easy as making sure no one walks off with a database. The security benefit of cloud computing is that your data does not sit in a physically accessible server, where it can be found and hacked. In a fully serverless environment, your infrastructure and applications don’t sit anywhere. It’s called Infrastructure as Code for a reason. You write code, code builds the infrastructure when it’s needed, and when it’s done, there’s nothing there.
Cloud compliance isn’t about regulating a constant state. It’s about assessing the underlying logic that allows data to exist and disappear.
At Deft, we illustrated just how far this could go by simplifying PCI compliance for FreshBooks. In the past, it took three people to maintain the company’s PCI-compliant on-prem environment, and hours and hours for the QSA to make it through an audit. By turning those manual processes into code that happens automatically, we made the data safer — and allowed those engineers to do something more interesting with their days.
It also, fundamentally, changed how the audit worked. Most of the many items on the checklist for PCI compliance were no longer relevant. We know that the data was secure — and the QSA was sure of that too and certified the approach — but there still isn’t a clear standard to follow. We hope that the widespread use of serverless cloud storage will eventually cause regulatory and compliance bodies to update their guidelines and standardize cloud concepts to achieve compliance.
Compliance in the cloud covers the necessary best practices
The cloud has changed everything, but the regulations and compliance requirements have yet to follow. Cloud gives you access to top-level security tools, AI, machine learning, all on a pay-as-you-go model. The things you can do in the cloud would never be feasible with on-prem or in a data center or colocation environment. The average company doesn’t need a team of highly trained infosec specialists to find and treat vulnerabilities. That level of protection can be delivered with intelligent orchestration and a few off-the-shelf solutions.
If regulators and organizations that write compliance standards continue to ignore the great potential cloud infrastructure offers, data security will only suffer. It’s far past time to rethink the compliance requirements in every industry. SOC 1, SOC 2, HIPAA, PCI, etc, all need to be updated to work in a cloud world or risk becoming obsolete. Because there’s one thing we know for sure: The appeal of moving compliance-mandated workloads to the cloud is only going to grow.