How Does Compliance Differ In The Cloud Versus On-Premise?

With 253 healthcare breaches in 2015 for a total of 112 million lost records, HIPAA compliance has never been more relevant. Meanwhile, 80 percent of businesses fail their PCI compliance assessments.

As a business, whether you’re storing patient records or processing customer credit card data, chances are the government or your customers (or, many times, both) require you to meet some sort of compliance standards. And it ain’t easy.

 At Threat Stack, people often ask us the following questions about compliance:

  • Where do I begin in order to meet compliance in the cloud?
  • How do I manage compliance in a hybrid (cloud and on-premise) environment?
  • How do I ensure compliance as I migrate from on-premise to the cloud?

On-Premise vs. Cloud: The Fundamental Differences in Meeting Compliance

Compliance can be a complex, lengthy, expensive, and sometimes even frustrating process. On-premise, it was a little more straightforward because of defined perimeters; running in a cloud or hybrid environment means you need new solutions to bridge the gaps between:

  • Private vs. public networks
  • Physical vs. virtual environments
  • Known physical boundaries vs. unknown perimeters
  • Known vs. unknown access

Because the ways in which systems and data are accessed and managed in the cloud differ from on-premise, the ways in which we meet compliance in the cloud must change. In the cloud, processes happen faster, access points are more numerous, and usage can scale up and down as quickly as needed. Traditional compliance solutions built for a more static on-premise world can’t keep up with such dynamic changes, requiring us to completely rethink how to achieve compliance in the cloud.  

The Approach Doesn’t Change: The Tooling Does

The goals of compliance haven’t changed a lot, but the infrastructure that we need to keep compliant has. You still need to monitor logins, have clear security incident procedures, and use encryption — but doing it in the cloud is very different from doing it on-premise. These are three key areas of compliance most impacted by the differences in the cloud:

  • Vulnerability Management
  • Monitoring
  • Cloud Context

Vulnerability Management

Required by just about every compliance framework, vulnerability management helps you pinpoint where the weaknesses are in your system so you can mobilize defenses to protect it. In the cloud, where the attack surface is magnified, applications, operating systems, and users alike are all major targets. With so many moving parts in the cloud, vulnerabilities can crop up in new and different places compared to on premise. The best way to catch them? A vulnerability management tool built for the cloud.

Solutions like Threat Stack Cloud Security Platform™ can automatically examine package information on the workload, quickly inform users about vulnerabilities, and then help organize workflows to remediate out-of-date packages based on their severity.  

Monitoring

Most compliance frameworks also require companies to track and monitor access to systems and data, and many companies already do this as a sound security practice. But in the cloud, monitoring is much more complex considering that:

  • The perimeter can be much more porous
  • Servers are constantly changing, being spun up or deactivated based on scaling needs
  • There are new and more devices to monitor (Hello, BYOD and IoT in the workplace!)

The challenge when companies attempt to apply monitoring solutions built for on-premise environments to the cloud is that the cloud components don’t match up, and therefore there is incomplete visibility. In the past, monitoring at the network level was all we needed, but in the cloud, the network only scratches the surface of what’s really going on. In the cloud, monitoring should be done at the host level where deep insights can be found, and anomalous behavior can be made crystal clear.

Cloud Context

To get to the root cause of a security event using traditional approaches, you would have to manually sift through multiple logs to pinpoint the steps leading up to and following a security event — assuming the information was even available, and make a judgment call from there. But this process is far from efficient and is prone to false positive results. And when you’re running fast in the cloud, there is no time for operational inefficiencies, right?

With security events in the cloud as complex as the cloud itself, having basic monitoring and response tools and processes in place often doesn’t cut it. Using a platform like Threat Stack, on the other hand, can add rich context to your security data by pulling vital event information together into a single place and automatically providing the contextual data needed to inform a targeted and effective decision for action.

Preparing for Compliance in the Cloud

Whether you’re about to migrate to the cloud, are already running in it, or are operating a hybrid environment, it’s important to know how to meet compliance in each type of environment. At the end of the day, it’s all about leveraging the purpose-built security platforms that have the ability to monitor, analyze, and respond to issues at the speed of the cloud. Likely, one of the drivers to move into the cloud is speed, and there’s no reason why your compliance initiatives have to put on the brakes.

Meeting Compliance Across All Industry Sectors in the Cloud

Healthcare companies like Twine Health, technology companies like 6sense, and financial companies like Simple Finance have all turned to Threat Stack to address cloud-specific compliance requirements.

Extra! Extra! Read All About Compliance

Want more compliance content? Sign up for automatic email notifications when new posts in this series go live: http://get.threatstack.com/compliance-blog-series.

As a bonus, we’ll make sure you’re the first to receive the Compliance eBook we’re releasing at the end of the series.

If you have questions, tweet us @ThreatStack, or send an email to [email protected]

Posts in the Compliance Series

Announcing Threat Stack’s Compliance Blog Post Series

How Does Compliance Differ In The Cloud Versus On-Premise?

How to Reconcile Different Definitions of PCI DSS and HIPAA Compliance

Can You Afford NOT to be HIPAA Compliant?

Why You Need to be Compliant Much Sooner Than You Think

The Impact of the Cloud’s Shared Responsibility Model on Compliance

The Importance of Security Monitoring to Achieving Compliance in the Cloud

Budgeting for a Compliance Audit: A Practical Framework

File Integrity Monitoring and Its Role in Meeting Compliance