Learning from Compliance Requirements: March’s Cloud Security Tip of the Month

Cloud Compliance TipIn January, we started our series with data encryption as our cloud security tip of the month.  In February, we expanded the foundation to include management of encryption keys.  Now, in the third installment, this March’s tip is learning from regulatory requirements.

It could be argued that for many businesses, regulatory compliance is a necessity, not a tip.  We would also maintain that encryption and encryption key management are necessities.  But, this month, we want to take a look at a couple of regulations with a new perspective.  We want to examine the cloud security aspects of PCI DSS and HIPAA – not from the perspective of the businesses that must comply with them, but rather from the perspective of what we can all learn from them about protecting our data in the cloud.

What we can learn from PCI DSS Compliance for Cloud Security

When we think of heavily regulated (and often breached) industries, one that comes to mind is the financial sector.  And any one of Target’s 110 million customers whose personal data was recently breached can tell you that breaches in this sector are serious business.  The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that stores or processes credit card information, but really, it is good business practice for any business that operates in the cloud.

Some cloud security lessons we can all learn from PCI’s requirements:

  • Do not use vendor-supplied defaults for passwords and other security parameters.
  • Use and regularly update anti-virus software (Krebs reports that the Target attack began with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer).
  • Protect data with encryption and protect cryptographic keys against disclosure and misuse.
  • Restrict access to data by business need-to-know and assign a unique ID to each person with access.
  • Track and monitor all access and regularly test security systems and processes.

What HIPAA Compliance teaches about Cloud Security

Along with credit card information, healthcare records are of the most heavily regulated and protected files.  The Health Insurance Portability and Accountability Act (HIPAA) contains some cloud data safeguards that healthcare businesses must adhere to and the rest of us should take note of.

1.  HIPAA requires that businesses “implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.”

What the rest of us can learn:

The electronic network, or cloud, offers you a lot of advancement in the form of cost-savings, the ability to scale up or down with your business needs, performance, agility, flexibility, and much more.  Its drawback comes in the form of data security and it is your responsibility to take the necessary precautions to protect data you store or process in the cloud.  To do this:

  • Encrypt your data using the latest techniques.
  • Split your encryption keys and encrypt them homomorphically.
  • Encrypt backups and any other form of data that is transmitted online.

2. HIPAA requires that “electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”

What the rest of us can learn:

Data security is often thought of to mitigate damages caused by fraud or theft, but you must also protect your data from destruction.  To do this, remember that:

  • Strong encryption techniques are the best assurance that data has not been tampered with.
  • Proper key management ensures that you control your data and that your encryption keys have not been manipulated – not even in server memory.

3. HIPAA requires businesses to “implement technical policies and procedures that allow only authorized persons to access . . . information.”

What the rest of us can learn:

Audit logs protect you.  Whether you are bound to comply with HIPAA or not, you should maintain records for all of the following:

  • Who accessed which data (down to the field level) and when.
  • Who made which configuration changes and when.
  • User logons, logoffs, and invalid access attempts

Why should you care about HIPAA if you are not in the healthcare business?  Because its standards will protect your customers and your data, its safeguards will protect you and your business, and because, at the end of the day, its guidelines are the safe way to operate in the cloud.

March’s Conclusion

Sometimes, regulations are viewed as a necessary evil.  In the case of cloud security, regulations can teach us a lot about the proper way to protect our cloud data and mission-critical apps.  Whether or not you are bound by PCI DSS or HIPAA, there is a lot you can learn from them and following their “advice” (whether you are actually required to or not) will protect your data.  Take this month to ensure that:

  1. Your data encryption meets the latest advancements in the industry
  2. You split your encryption keys to always maintain control of your data
  3. You homomorphically encrypt your encryption keys
  4. You properly limit and log all access to (or attempts to access) data
  5. You arm yourself with the proper firewalls, antivirus, system updates

Speak Your Mind