Public cloud security and compliance considerations

Enterprises need a lot of early investment and continuous maintenance to set up their own servers , This is what most technology companies use today IaaS Why providers meet their computing needs . image AWS、 Gu Geyun and Microsoft Azure Such cloud computing providers are responsible for the operation and security of infrastructure , For example, provide a new server , And keep its latest running state for users , The services they provide enable the user's development team to free up time , Focus on building valuable new features for their applications .

This article introduces what developers need to consider when classifying their applications for security and compliance . Businesses based on cloud computing often need to prove that their software is set up in accordance with security best practices , Compliance standards and certification are effective ways to understand the security situation of enterprises and build trust with customers .

The following will focus on the compliance and security benefits of applications using public cloud providers , And the precautions that enterprises should consider .

Cloud computing providers make security and compliance easier

When enterprises use cloud computing services , Processes like starting a virtual machine or monitoring its performance are much easier , Because all the hardware and functions have been provided . Again , Enterprises can trust the security functions they provide , Because most mainstream cloud computing providers have invested resources to obtain and maintain many common security certificates , for example PCI DSS and SOC 2. Besides , The global reputation of any cloud computing provider depends on their security record .

In addition to the overall trust factor , Due to all compliance oriented functions , Using the services provided by cloud computing providers makes it easier for enterprises to obtain and maintain security certification , Such as SOC2 or ISO/IEC27001. Here are some examples of such functions provided by cloud computing providers .

(1) Built in functionality to support compliance

Cloud computing providers provide many built-in functions , To help enterprises comply with industry best practices and rules . for example , Use AWS S3 bucket , Can be objects stored in services ( Documents and folders ) Create a special retention policy . Enterprises can configure restrictions on object deletion , And define expired objects . This makes it easier to meet compliance standards in areas such as finance .

Another area where cloud computing providers can make enterprise life easier is maintenance , Because they automatically update the operating system and packages . For example, using AWS Lambda, Enterprise code will be executed in a lightweight isolation environment .AWS The cloud platform fully undertakes the maintenance of the underlying host . This reduces one thing to worry about for the technology operation team of the enterprise .

(2) Integration with compliance monitoring tools

image Vanta and Drata Such compliance tools are integrated with cloud computing services of major cloud computing providers , And allow enterprises to automatically monitor whether they meet compliance standards . Because these tools can be directly inserted into cloud providers API in , So they can automatically extract relevant data , And send an alarm when the configuration is wrong .

(3) Built in audit log and event tracking

Because the cloud computing provider has collected audit logs and trace events in the enterprise's accounts , Therefore, some audit inspections of certification become easier . for example , For Google cloud storage , Multiple logging options with varying amounts of detail are out of the box . Setting up log collections in cloud computing services is very simple . therefore , Whenever sharing logs with auditors , Enterprises can extract the results as proof of compliance .

(4) User management and fine-grained permissions

Pay special attention to which users can have privileged access to the enterprise's cloud provider account , This is of great help in reducing the possibility of security vulnerabilities . This is why many enterprises follow the principle of least privilege . Cloud computing providers provide many options to create user accounts with limited permissions , To meet this principle . for example ,Azure AD(Azure Identity and access management services ) Allow user permissions to be configured at a single cloud computing service level , Even user permissions are often configured at a single entry level in the service .

Major cloud computing providers also offer to create only using API User possibilities , Or even let virtual machines assume specific user roles in the enterprise infrastructure , There is no need to create any credentials for it .

Cloud computing providers have many advantages in security and compliance , But it also faces some problems and challenges .

Cloud computing providers do not just solve compliance problems for enterprises

Cloud computing services provided by cloud computing providers realize many functions , Make it easier for enterprises to achieve compliance . But businesses and individuals still need to determine what needs to be used to meet compliance requirements . The process of achieving and maintaining compliance needs to include obtaining qualified advice 、 Implement the required control and long-term monitoring control . The capabilities of cloud computing providers will only reduce the difficulty of completing these steps .

It should be noted that , Looking for SOC 2 Wait for safety certification , There is no special fast track version for cloud computing service customers . Enterprises still need to provide evidence of the safety practices they use , Whether deployed internally or through the cloud platform . Businesses will need to find IaaS Security certification of the provider , Request supporting documentation , And provide it to the reviewers . Every requirement of audit needs to be met through the evidence directly provided by cloud computing providers or enterprises .

Cost of compliance

Another consideration when conducting compliance and safety certification is cost . Most enterprises do not realize how expensive some compliance related services in the cloud will become .AWS GuardDuty Is a popular service , It can be used to collect and store event logs , Price by event . If millions of events are sent to GuardDuty, The total cost may increase rapidly .

What increases the complexity of compliance costs is , Usage patterns and future costs are often difficult to estimate through pay per use compliance services . Use GuardDuty The same example of , If you know how many events will be generated every day , It is easy to understand the future cost . But the number of events is difficult to predict , Engineering teams can take weeks to deal with complex SaaS Make reasonable estimates of the events of the application .

Given the potential unlimited cost impact , Compliance in the public cloud becomes a cost optimization work . Wise enterprises will spend time calculating and estimating costs , And estimate the possibility and impact of various safety risks . for example , The data leakage of financial service companies may have a devastating impact on their businesses , Therefore, such companies may be willing to accept higher compliance costs . however , For enterprises with low security risks , High compliance fees may not be reasonable .

It is worth noting that , Most cloud computing providers provide a variety of ways to achieve compliance . for example , If GuardDuty Too expensive for enterprise use cases , You can use other methods to meet specific compliance checks . For example, you can choose to check all systems weekly through scripts , Instead of active event monitoring . Enterprises can also enable some monitoring for services with low utilization ( So I won't pay too much for it ), But look for other options for the high transaction part of the application .

Best practices to follow

Here are some best practice suggestions for cloud security .

(1) Approval workflow

The approval workflow is a formal process , Used to monitor project tasks , And make sure they meet deadlines 、 Meet business and product requirements , And there are no mistakes . Standardized approval workflow with clear basic processes and relevant audit logs is often easier to meet compliance checks . There are many convenient ways to use cloud computing technology to realize approval workflow , For example, use serverless Computing .

(2) Third party service verification

In addition to using tools provided by cloud providers , Enterprises may also use third-party software tools . Its compliance monitoring process should include verifying the safety control and compliance standards of the third-party services used .

(3) automation

Although compliance can be tracked manually , But this is not sustainable , Especially for those who have thousands of customers SaaS For applications . Therefore, it is recommended to use software tools and automation to monitor compliance , And create alerts when something in the infrastructure is no longer compliant . This makes the process faster 、 More robust . most important of all , For certification purposes , It also makes auditing easier .

How to start

To learn more , Need to know SaaS How to build security for user communication , Then there is the developer compliance guide and how to get it correctly GDPR Communicate with customers .