Top cloud security standards and governance frameworks

Feb 23, 2022 | CYBERSECURITY

Cloud strategy guide for regulated industries: part 2

Cloud strategy guide for regulated industries: part 2
Top cloud security standards and governance frameworks

The cyber sector is now full of many different standards and certifications. Cloud standards and frameworks are vital to securing systems and maintaining privacy. These standards offer organizations a set of controls and processes that can be implemented to achieve and maintain a certain level of security.

Knowing which standards are essential for your business, you can easily find providers who meet all of them. Most of the biggest cloud providers show how they adopt particular standards, i.e. here, you can read how AWS deals with life science compliance.

It is necessary for companies in regulated industries to implement the required measures and policies. This reduces the risk of non-compliance and ensures that business continuity plans are in place to minimize the damages.

The benefits of supporting essential IT and security standards are numerous, including
  

  • promoting interoperability, eliminating vendor lock-in, and making it simpler to transition from one provider or vendor to another;
  • easy integration of on-premises security technologies with those of cloud service providers;
  • path to regulatory compliance.

Many standards and control frameworks may seem overwhelming at first. Many of them are available publicly, but for some of them we need to pay. They are defined by different organizations and regulatory bodies. 

The aim of this article is to gather all information about key IT & security standards and frameworks in one place. It would help to understand their scope and applicability.

By reading this article and filling in the short assessment, you can:

  • have a clear understanding of major IT regulations and standards,
  • see in which areas they complement each other,
  • understand their reference to cloud computing.

Cloud Standards’ Characteristics self-assessment

Download our Cloud Standards’ Characteristics assessment and take a detailed overview of all general and cloud standards. Contact A4BEE experts, choose with us the best cloud provider for your organization, and build the tech backbone for your internal and cloud solutions.

General information technology and data-related standards, regulations, and recommendations

Many of general IT security standards and recommendations are applicable to cloud computing environments. Organizations should be aware of them and check how cloud providers support them (and other suppliers as well).

ISO/IEC 38500

The ISO (International Organization of Standardization) 38500 standard provides a framework for IT governance within an organization, offering guiding principles for the organization’s senior management for the effective, efficient and acceptable use of IT. It is not specific to cloud computing, but cloud service providers and customers can use it.

COBIT

COBIT (Control Objectives for Information and Related Technology) was created by the ISACA organization and provides a framework for IT governance and IT management. It is positioned as a high-level framework between business and IT goals & processes.

ITIL

ITIL (Information Technology Infrastructure Library) is a set of practices for IT service management, which businesses can apply to the management of cloud services. Information security management is covered, but it is typical to address this area using the ISO/IEC 27002 standard.

ITIL is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. ITIL describes processes, procedures, tasks, and checklists that a service provider could use for establishing integration with the organization’s strategy. It allows the organization to develop a baseline to plan, implement, and measure.

National Institute of Standards and Technology (NIST)

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a cross-industry reference framework geared at overlaying federal security assessment and authorization security controls into the private industry. NIST is emerging as a standard governance framework for cloud computing in the private sector.

NIST SP 800-53 R5

NIST Special Publication 800-53 revision 5, “Security and Privacy Controls for Information Systems and Organizations,” provides a catalog of security and privacy controls for federal information systems, including cloud-based systems, and organizations, and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the U.S. from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors.

ISO/IEC 20000

ISO/IEC 20000 is a series of well-established and internationally recognized standards for IT service management. It is not specific to cloud computing and cloud services, but It is applicable to different categories of cloud service, including, but not limited to, the following:

  • infrastructure as a service (IaaS);
  • platform as a service (PaaS);
  • software as a service (SaaS).

It is also applicable to public, private, community, and hybrid cloud deployment models.

The applicability of ISO/IEC 20000‑1 is independent of the type of technology or service model used to deliver the services. All requirements in ISO/IEC 20000‑1 can be applicable to cloud service providers.

GMP

Good manufacturing practice (GMP) describes the minimum standard that a medicines manufacturer must meet in their production processes. GMP requires that medicines

  • are consistently high quality,
  • appropriate for their intended use,
  • and meet the marketing authorization requirements or clinical trial authorization.

GMP covers all aspects of production, from the starting materials, premises, and equipment to staff training and personal hygiene. Detailed written procedures are essential for each process that could affect the quality of the finished product. There must be systems to provide documented proof that correct procedures are consistently followed at each step in the manufacturing process – every time a product is made. Detailed documentation: GMP Guidelines and GMP Guidelines/Inspection Checklists for Cosmetics.

ISO/IEC-27001 / ISO/IEC-27002

Any organization with sensitive information can benefit from ISO/IEC 27001 implementation. ISO/IEC-27001 contains an Information Security Management System (ISMS) specification. ISO/IEC-27002 describes controls that can be implemented to comply with the ISO/IEC-27001 standard.

 

Compliance with ISO/IEC-27001 demonstrates that your organization takes information security seriously and executes best-practice of information security methods.

ISO/IEC-27017

An extension of ISO/IEC-27001 incorporating clauses specific to information security in the context of the cloud. Compliance with ISO/IEC-27017 should be considered alongside ISO/IEC-27001.

ISO/IEC-27018

This ISO/IEC-27018 standard relates to protecting personally identifiable information (PII) in public clouds acting as PII processors. While this standard is explicitly targeted to public-cloud providers such as AWS or Azure, PII controllers (e.g., a SaaS provider processing customer PII in AWS) still have a level of responsibility. You should consider compliance against this standard if you are a SaaS provider processing PII.

System and Organization Controls (SOC) Reporting

A SOC 2 Audit Report demonstrates that your organization has policies, procedures, and controls in place to meet the five trust principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. When selecting SaaS providers, request them to demonstrate SOC 2 compliance.

ISA 88

ISA-88 is a standard introduced by the International Society of Automation. This standard aims to provide guidelines for the design and structure of batch control systems to ensure a common understanding among manufacturers. It details regulated data structures for efficient communication between batch components and defines notable terminology within batch control.

The ISA-88 standard also examines batch control system architecture from a physical and functional standpoint. The physical model looks at the hierarchical structure of data communication and control equipment. A process is made of stages, which consist of operations that require actions. 

The functional model examines the different types of control — scheduling, recipe management, regulatory control, sequential control, and safety interlock systems. ISA-88 wants to outline the necessities for an efficient batch control system. In deconstructing its different aspects, ISA-88 defines all necessary components and processes.

Payment Card Industry Data Security Standard (PCI DSS)

Specific to organizations handling cardholder information. This standard provides baseline technical and operations requirements for protecting cardholder data.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is specific to organizations handling medical information. The HIPAA Security Rule (HSR) is most appropriate in the context of information security. This rule provides standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.

HIPAA II-Health Information Technology for Economic and Clinical Health Act (HITECH)

The primary purpose of the HITECH Act is to improve the quality, safety, and efficiency of healthcare by expanding the adoption of health information technology. The measures included in the Act to make the enforcement of HIPAA more effective are there to ensure the adoption of health information technology is compliant with the HIPAA Privacy and Security Rules.

By improving the quality, safety, and efficiency of healthcare in a HIPAA-compliant manner, the Act aims to improve care coordination, reduce disparities in the ways healthcare is administered, engage patients and their families in the decision-making process, and improve public health.

General Data Protection Regulation (GDPR)

GDPR is the data protection and privacy regulation for the European Union. Whilst this regulation applies specifically to the European Union, you need to consider this if you store or process any personal data of European Union citizens.

Cloud specific standards

The list of cloud-specific standards includes various life science, biotechnology, and pharmaceutical industry standards. Some scopes of standards are similar and complementary to each other.

Cloud Security Alliance (CSA) Cloud Controls Matrix

Cloud Security Alliance (CSA) conducts cloud security research, professional education, and provider certification to promote the secure delivery and use of cloud computing services. The CSA has published a Cloud Controls Matrix that provides insight into the critical security control considerations when assessing cloud provider services. This document helps establish effective cloud security governance.

CIS Critical Security Controls

CIS Control List is a prioritized set of actions for protection against cyber threats.

Cloud Application Management for Platforms

CAMP is designed to address the needs of a high-level PaaS system. The consumer provides application artifacts and specifies which provider-supplied services are required to realize these artifacts as an application.

All infrastructure details (used to support services) are hidden by the provider of the PaaS system. 

The main objective of CAMP is to leverage similarities between different PaaS offerings and to produce a generic application and platform management API that is language, framework, and platform-neutral. The specification includes the artifacts and APIs that a PaaS cloud needs to manage the building, running, administration, monitoring, and patching of applications in the cloud, contributing to the interoperability among self-service interfaces to PaaS clouds.

ISO/IEC 19086

ISO/IEC 19086 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs).

CIS Cloud Providers Benchmark

CIS Cloud Providers Benchmark includes more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats.

Best practice security controls specific to major cloud providers, including: Amazon Web Services (AWS), Alibaba, GCP, Microsoft Azure, Oracle Cloud.

Summary

Standards and certifications are a crucial way of communicating with clients, stakeholders, suppliers and partners. They show that your business takes compliance, cybersecurity, and data protection very seriously. Many companies that achieve certification or align with these recognized frameworks increase new business opportunities. 

Striving for compliance with one will often get you long to achieve compliance with another. Once you’ve decided on the standards and control frameworks to pursue, you will need to establish policy procedures and implement supporting technical controls. Implementing technical controls might be an unnecessary distraction for your team (who should be focused on delivering business value), but don’t worry… you don’t have to do it alone.. 

Look into our Security Assessment Scope and let’s talk about the best solutions for your company.