Hyperscale cloud providers are seeking global cyber security authorizations to expand their international presence and increase market share. However, as they work towards global cloud security compliance, they encounter challenges. These include managing the complexity of different requirements, implementing automation to streamline processes, and consolidating various frameworks for a coordinated compliance approach. Below we provide actionable recommendations to tackle some of the common issues that cloud providers face when managing and complying with global laws and regulations.
Everything NOW!
Cloud providers face challenges in deciding which certifications to prioritize when trying to tackle global cloud security compliance. Some may try to obtain as many certifications as possible, which can lead to a loss of focus and an overwhelming workload as they try to “check all the compliance boxes.” On the other hand, going for just the easy, low-hanging fruit first can quickly consume services’ time and resources. This can leave little to no motivation to obtain the more expensive ones like FedRAMP authorization.
It’s important for cloud providers to carefully consider which certifications will be most beneficial for their business and to strike a balance between obtaining a broad range of certifications and not spreading themselves too thin.
Not All Global Cloud Security Frameworks are Created Equal
There are many nuances between global frameworks that aren’t always apparent from just reading the requirements as written. You might compare requirements from one framework to another and think that they’re similar and could be met with similar implementations, tooling, evidence, etc. However, you need to dig deeper to make sure you account for all the differences that could result in noncompliance.
As an easy example, almost every framework has some sort of separation of duties requirement. On the surface, most will accept account listings and role-based schemas evidenced via Active Directory, LDAP, etc. However, once you go through FedRAMP, you’ll soon uncover that they also require a Separation of Duties matrix that shows, in a consolidated document, how roles and permissions are adequately separated.
Additionally, other factors such as boundaries, environments, regions, in-scope and out-of-scope services, tooling, evidence, dependencies, and audit approach and rigor (strict vs. lenient) can also differ between frameworks. It’s essential to thoroughly research and understand these nuances to successfully comply with all the requirements.
Analysis Paralysis
It’s important to carefully balance the time and resources spent on analyzing different frameworks and preparing for authorization. While some upfront work can be beneficial in terms of prioritization, you shouldn’t spend too much time on high-level tasks that could be better spent on the actual authorization process, such as solutioning, implementing, and prepping for the assessment. This will allow you to move forward with the initial certification and start continuous monitoring sooner.
Some cloud service providers may attempt to consolidate and integrate various industry and global compliance frameworks into a single cohesive view. In doing so, it may be relatively easy to align everything to NIST standards. However, there are some challenges that should be considered.
For example, not every global requirement will align nicely with a requirement pulled from the NIST SP 800-53 control catalog. You can customize parameters, add supplemental information, and create custom controls but then you’ve created a mix of standard (i.e., NIST) and unique requirements which can be difficult to maintain, especially as NIST releases new revisions. By limiting yourself to the NIST SP 800-53 control catalog, you won’t have the flexibility and agility that a custom framework provides.
Overall, it’s important to carefully consider the key distinctions between frameworks and not get boxed in by a consolidated approach.
Automating Global Cloud Security Compliance
Automating compliance processes, such as collecting evidence and delivering service guidance, sounds great in theory. But in practice it can pose several potential issues. Off-the-shelf automation tools may not always fit the specific needs and requirements of an organization, requiring customization that can be time-consuming and costly. Integrating tools with an organization’s existing systems and processes may not always be straightforward either, resulting in the need for additional time and resources to get them up and running.
Relying too heavily on automation can create a dependency on tools, leading to issues if they fail or need to be updated. Finally, automation can lead to a loss of control over compliance processes, potentially resulting in a lack of understanding or visibility into how compliance is being managed.
Although automating compliance processes can be a helpful way to work more efficiently and avoid burnout, inefficiency, and suboptimal results, it’s important to carefully evaluate the pros and cons of automation and to choose and implement tools that will be most effective for an organization’s needs.
Patchwork Policy
There are many challenges involved in updating policies to meet a wide range of global frameworks and their requirements. Some of these challenges may include clearly defining the scope of policies and procedures and anticipating all of the situations in which they might apply. For example, it can be difficult to identify all of the services and departments that the policies apply to in advance, especially if the organization is large or complex. Anticipating all of the relevant exclusions can also be hard, as they may vary depending on the specific framework.
Another challenge is that it can be time-consuming to review and update policies as the organization or framework changes. This may require ongoing effort to ensure that the policies are up to date and accurate. Putting the updated policies and procedures into practice can require significant effort and coordination across different departments and regions.
What’s Next?
Ensuring that data privacy and security measures are in place and compliant with global laws and regulations is a key challenge for cloud providers when expanding their operations globally. This includes ensuring that data is stored, processed, and transmitted in accordance with relevant laws and regulations, as well as implementing appropriate security measures to protect against data breaches and other security threats. Managing global compliance authorizations can be complex for cloud providers, and a number of issues may arise.
In the second part of this blog series, “Part 2: Guidance for Going Global,” we will offer some strategies for overcoming these challenges. Or you can contact 38North to learn more.
