Incidents of cloud systems having their data stolen, held hostage, leaked, or destroyed are accelerating. 2019 data breaches include:
- Quest Diagnostics: medical, financial, and personal information for 11.9 million subscribers
- Capital One: credit card information for 100 million subscribers
- Zynga: Personal information and Facebook IDs for 218 million subscribers
In addition to these large incidents, smaller incidents severely impact thousands of cloud systems every year.
As a result, almost all organizations understand the importance of implementing robust cybersecurity for their cloud systems. Most organizations make sure they have good access controls, antimalware, intrusion prevention, monitoring, logging, and alert systems. Many organizations have the extensive QA testing procedures required to keep their systems continually updated with the latest patches. Some organizations continually train their employees so that as cloud technologies rapidly evolve, their staff understands how security protections must evolve with them. A few organizations take cybersecurity a step further and focus on compliance.
Compliance??? Isn’t that just paperwork?
Compliance to a cybersecurity standard means successfully passing that standard’s annual third-party security audit. For an organization’s IT department, a focus on compliance amounts to an understanding that no matter how talented their security team may be, their organization’s cybersecurity will benefit from the close scrutiny of third-party experts. For an organization’s sales teams, the certification or authorization that comes with passing an audit is a key element in assuring their customers that their cloud systems are protected. Don’t take our word for it – take the word of the third-party auditor.
But not all compliance standards are created equal. Some compliance standards like ISO 27001 have been around for many years and apply to both on-premises and cloud systems, so they are not as prescriptive. Other standards like HITRUST are newer, focused on cloud systems, and much more prescriptive. Some standards like FedRAMP are still more prescriptive and involve more oversight. Customers that understand these differences place higher value on cloud systems that are compliant with more prescriptive cybersecurity standards.
Here’s an example. Multifactor authentication (MFA) is one of the best protections against a wide range of cybersecurity attack vectors. What do ISO 27001, HITRUST, and FedRAMP require regarding MFA? ISO 27001: No requirement. HITRUST (level 2): “Multi-factor authentication methods are used in accordance with organizational policy”. FedRAMP: “The information system implements multi-factor authentication for network access to privileged and non-privileged accounts.” In other words: no requirement vs. at your discretion vs. required for all users. So compliance to a higher standard can give an organization’s customers an assurance of a higher level of cybersecurity.
Here’s another example. Audits for all cybersecurity standards include reviewing an organization’s policies and procedures along with evidence that they have been implemented. But unlike ISO 27001 and HITRUST, FedRAMP goes beyond this by requiring auditors to also perform vulnerability scanning and penetration testing (ethical hacking) on the cloud system. In addition, FedRAMP “continuous monitoring” requires the organization to have monthly meetings with a government oversight agency to present results of the cloud system’s latest vulnerability scans along with plans for how those vulnerabilities will be remediated in the required timeframes.
What about HIPAA, GDPR, or other compliance standards? One challenge is that those do not have a certifying body that can definitively state: “This organization is HIPAA (or GDPR) compliant.” Instead, they rely on an organization to self-certify their compliance. The problem with self-certification is that any organization can just state that they are HIPAA (or GDPR) compliant with no proof, and there is no organization that can correct them. Many cloud systems in the healthcare space do just that, even some that do not actually have all of the required controls in place. Sophisticated customers understand this. That is why many healthcare payers have started to require HITRUST or FedRAMP compliance for the cloud systems they use. HITRUST and FedRAMP standards both incorporate the HIPAA controls, but they have an official certification that can be easily verified by the customer.
In summary, cloud cybersecurity is crucial. Most organizations understand this. But leading organizations also understand that certified compliance to a cybersecurity standard is crucial as well. Cybersecurity audits lead to improvements in the security of an organization’s cloud systems and the resulting certifications provide assurance to the organization’s customers that the cloud systems have implemented a known level of security. For sophisticated customers, that assurance is stronger if the certified compliance is to a higher standard.