The latest updates to these industry standards help cloud-based companies demonstrate their compliance and implementation of best practices.
The way work is changing; organizations and enterprise companies are moving their data to the cloud and remote, hybrid, and work from home policies are becoming the norm for employees. At the same time, cyberattacks are on the rise. As attacks become both more frequent and more sophisticated and organizations expand into the new work normal, cloud data security standards offer a benchmark security teams can use to ensure their data is secure and their companies are compliant. Brush up on their latest developments and you’ll be ahead of the curve for the coming year.
Learn more about cloud data security with Cloud Data Security – The Ultimate Guide.
Cloud Data Security Standards
Whether you’re processing customer information or just protecting your own internal resources, strengthening security to prevent and mitigate threats should be a number one priority for any cloud-based company. Even the most experienced security experts rely on standardized measures to prove they are in compliance with regulations and implementing industry best practices. These eight cloud data security standards are widely accepted ways of ensuring system interoperability while showing the world your products and data stores are compliant, safe, and as secure as possible.
The European Union’s General Data Protection Regulation (GDPR) is one of the best known and strictest data privacy laws in the world. It applies to companies based in or doing business in the EU in addition to any companies who process or store data belonging to EU citizens. One of the reasons GDPR is so broadly talked about and so widely followed is that the penalties for noncompliance are very high, reaching €20 million or four percent of annual worldwide revenue, whichever is higher. Notable updates to GDPR made during 2021 include:
- Definition of joint controller: Because joint controller situations are increasingly common, the new broadened definition is: “a situation where two or more persons or entities are in charge of the collection and protection of customer data.”
- Privacy shield: In the past, companies could use the privacy shield mechanism to more easily move data between their EU and US counterparts. That privacy shield has now been removed, so US companies have to adhere to core GDPR regulations.
- Cookie policies: In an effort to clarify ambiguities that previously existed about cookies in GDPR, these new updates state that companies must obtain explicit permission to install cookies on users’ computers; simply visiting a site is not sufficient consent.
#2: PCI DSS
All companies that accept payments from customers should adhere to the Payment Card Industry Data Security Standard (PCI DSS) issued by the PCI Security Standards Council. The most recent update to the standard is version 3.2.1, which was released in May 2018. At time of writing, the PCI Security Standards Council most recently announced that the long-anticipated PCI DSS 4.0 release is slated for publication in March 2022, following an active period dedicated to community comments and extensive review.
In the United States, the cloud data security standard that regulates the medical field and the healthcare industry is the Health Insurance Portability and Accountability Act (HIPAA). Since the federal law was first passed in 1996, HIPAA has undergone countless and constant updates. In 2020 and 2021, most of the proposed changes were issued in response to the global COVID-19 pandemic and the CARES Act. Although no legislative changes have taken effect yet, many temporary changes or reprieves in the law were implemented in the interest of public safety and to support compliance efforts during the unprecedented pandemic.
The Australian Cyber Security Centre (ACSC)’s Essential Eight Maturity Model is a scalable set of the eight most effective steps any organization can take to prevent, protect, and mitigate cyber threats. The model was first issued in June 2017, and has been updated constantly ever since. The most recent changes to the Essential Eight, published in July 2021, prioritize the implementation of all eight strategies at once (“due to their complementary nature”) and recommend reaching a maturity level across all eight before attempting to achieve higher maturity for any one step. There is also increased emphasis placed on risk management strategies for organizations using legacy systems.
The International Organization for Standardization (ISO) is an independent organization with a membership of 165 countries that contribute to the collective development of international standards in a variety of categories. The 27000 family includes a series of detailed information security management systems (ISMS), The most important 27000 family standards that cloud security professionals should know are:
- ISO 27001: The core ISMS requirement that companies must follow in order to be considered in compliance by the ISO and its members.
- ISO 27017: This standard governs information security specifically for cloud-based companies.
- ISO 27018: This standard governs personally identifiable information (PII) held by public cloud providers like Amazon Web Services and Microsoft Azure, and applies to cloud-based companies that use those platforms.
Service Organization Control (SOC2) is an internationally recognized standard specifically designed to help strengthen cybersecurity risk management systems by assessing availability, confidentiality, processing integrity, privacy, and security. The audit provides a benchmark that cloud-based companies can use to demonstrate their compliance to customers, partners, vendors, and investors. When it was last changed in 2018, the SOC2 audit was updated with new description and trust services criteria, and improved alignment with Clarified Attestation Standards.
The United States’ National Institute of Regulations and Technology (NIST) has released a number of cloud security standards that take into account overlapping federal regulations, including HIPAA and the Federal Information Security Management Act (FISMA). Of particular interest to cloud security experts is the Security and Privacy Controls for Information Systems, which was last updated in December 2020. It was published with a number of constantly updated supplemental materials and details about how the controls coincide and collaborate with other widely accepted standards and frameworks.
The Center for Internet Security (CIS) maintains open-source guidelines based on consensus to help organizations demonstrate their systems are secure and compliant. The CIS also issues Benchmarks for specific cloud service companies, like the CIS-AWS standard that governs Amazon Web Services and the cloud-based tech built using that platform. The most recent release of the Critical Security Controls is version 8, which issued task-focused controls that are combined by activity instead of based on who manages each device. Version 8 decreased the total number of controls from 20 to 18 and converted 171 sub-controls into 153 safeguards.
Cloud data security standards give companies a benchmark they can use to measure their overall security posture and individual data protection practices. Standardization is an important part of any cloud security professional’s responsibilities, but you don’t have to do it alone. Symmetry Systems helps cloud security teams protect their data by tightening IAM policies through an evidence-based approach. Interested in learning how Symmetry DataGuard helps cloud-based companies get and stay compliant? Contact us today to learn more.