Compliance is a rather daunting subject.  The governing body that an organization is beholden to can have a massive amount of security controls that are expected to be not only implemented but monitored, maintained, and documented.  This task alone can become a giant undertaking for an entire IT group, which pulls time and focus away from other projects and endeavors.

An example of this would be NIST SP 800-171 compliance and the enormous amount of security controls it requires to be in place.  Not only do you need to implement, maintain, monitor, and document the controls that are being utilized, there are also lots of controls that you have to interpret how they fit into your environment and how you can accomplish meeting each requirement.  So how can the overhead and the burden of meeting these controls be reduced?  Moving to the cloud.

Why would moving to the cloud make our compliance situation better? 

Wouldn’t moving to the cloud make compliance more complicated and harder to interpret how to implement the required controls?

These questions are very common when an organization is considering a move to the cloud and is beholden to a regulatory body such as HIPAA, the Department of Defense, or GDPR.  Moving to the cloud may make interpreting controls a slightly longer process, but it will not make it more complicated.  In fact, one feature of cloud computing can make compliance quite a bit simpler and faster: inheritance.

Inheritance in the world of compliance is what happens when you inherit a control or control set from another entity.  In cloud computing you are often inheriting large amounts of controls from the cloud service provider (CSP).  Controls typically inherited from the CSP include:

Physical Controls

The first line of defense for almost all sets of controls are physical controls.  Adhering to physical security controls will mean you’ll have the answers to questions like:

• What physical security is being provided to protect the data?
• Is there a fence?
• How about a guard and 24-hour patrols?
• How much of the organizations campus is visible through camera monitoring and how long are camera recordings retained before they are deleted to alleviate data storage space?

That is just a very short list out of the many physical controls maintained by many organizations to protect their data and other assets.  This becomes important to know when considering a cloud-based solution because your physical controls are all inherited from the CSP storing your data.

Environmental Controls

Another set of controls that are often not always considered are environmental controls.  What good is a system that has amazing physical security as well as strong network security, if it is constantly offline due to overheating from a lack of required environmental controls?  These controls are also maintained and inherited by the CSP.  There is no need to worry about proper ventilation, expensive air conditioning units, generators and other backup power sources.  All of this is taken off the “to-do list” for an organization and is the responsibility of the CSP.

Physical security and environmental controls aren’t the only controls an organization inherits from the CSP.  Some other common controls CSPs meet are:

• Proper disposal of hard drives and other data storage devices
• Maintenance of hardware such as servers and switches
• Maintenance of transmit media such as CAT 6 and fiber
• Training and background checks for data center employees

The Shared Responsibility Model of Cloud Security

Knowing all of this often raises another question.  How do I know exactly what my organization is responsible for and what the CSP is responsible for?   There are two main ways this is made available to a customer.  The first is called the Shared Responsibility Model, a term used by both Amazon Web Services (AWS) and Microsoft Azure.  Google Cloud Platform simply refers to this as the Google Security Model.

These diagrams of the Shared Responsibility Model from AWS and from Azure show exactly what the CSP is responsible for and what the customer is responsible for.  In these models, the physical and environmental infrastructure are completely controlled by the cloud host, which means all controls surrounding these are inherited from the host’s implementation of said controls.

Notice that in these models, there are more than just physical and environmental controls inherited — but why is that?  The amount of controls an organization inherits goes up by type of service utilized from the CSP.  These types of services are called infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

IaaS provides the least amount of inherited controls, as a large amount of security controls are the responsibility of the organization and not the CSP.  SaaS provides the most inherited controls as not only the hardware is maintained by the provider but so is the application, the operating system the application sits on, and much of the identity and access management.  This leaves PaaS sitting in the middle with the operating system being the reasonability of the CSP, and applications being a shared responsibility between the provider and the customer.

If it still isn’t clear what controls your organization is responsible for, you can look to the CSP’s own control mapping.  Each of the CSP’s individual controls are typically already mapped and available to the customer by request to the CSP, given that the CSP maintains compliance with the customer’s required regulatory body.

Inheritance is an extremely important subject in the world of compliance in the cloud.  The many benefits provided by inheriting what can be up to hundreds or more controls is an amazing advantage for any compliance-beholden organization.  If you are interested in finding out more on controls, check out the excellent blog post titled “Control Mapping: A Powerful Ally in the Fight Against Audit Fatigue” by Rick Tracy, CSO at Telos Corporation.