Multi-cloud compliance in a multi-jurisdictional world
The foggy cloud: Uncertain risks with heightened consequences
The cloud offers both opportunity and risk, and for most organizations the opportunity continues to vastly outweigh the risk. But much of the risk comes in the form of potential compliance violations — the danger that data will be stored, accessed, altered, or leaked in a way that puts an organization out of compliance with the ever more complex cohort of data protection and privacy regulatory frameworks.
Worse, many IT and security professionals do not even have visibility into where those risks might lie. And visibility grows more difficult with data and workloads spread out across multiple clouds, as is the case for the vast majority of organizations. The cloud has become more like a fog, obscuring lurking compliance risks. And meanwhile the jurisdictional requirements with which international organizations have to comply continue multiplying.
As security frameworks prove inadequate for managing these compliance risks, IT teams and compliance officers need a new approach, one that will allow them to identify and mitigate compliance violations in the cloud before they happen.
The challenge of cloud compliance
When cloud-hosted data is exposed to unauthorized persons, organizations face losing the trust of their customers, reputational harm, potential scrutiny from regulators, and other negative outcomes. In worst-case scenarios, a data breach can lead to fines if regulators believe an organization didn’t take reasonable measures to protect its data.
How do such exposures occur? In any number of ways, from social engineering attacks to inadequate access control to outright data breaches by external malicious parties. However, the cloud offers unique hurdles and challenges for avoiding data exposure. In particular, with responsibility for security shared between cloud provider and cloud customer, misconfigurations are a major risk.
Unintentional human errors, known as misconfigurations, in cloud deployments are one of the top risks to data in the cloud. Public cloud deployments that are left accidentally exposed to the public Internet or otherwise misconfigured can lead to major breaches, such as what happened to Twilio in 2020.
Cloud misconfigurations are increasing. As more businesses transition to cloud-based services, the attack surface expands, increasing the risk of exposure due to misconfigured resources. According to Gartner, "Through 2027, 99% of records compromised in cloud environments will be the result of user misconfigurations and account compromise, not the result of an issue with the cloud provider."
Often, issues are detected only after misconfigurations have already had an impact. This is because many widely used types of cloud security solutions such as cloud security posture management (CSPM) or cloud-native application protection platform (CNAPP) services identify symptoms after the fact and not while DevOps teams are setting up these services. After-the-fact detection leads to alerts, which may take a while to be fixed, leaving cloud resources temporarily exposed.
By the time an organization knows it may be out of compliance or exposed to attacks due to misconfigurations, it may be too late.
There are also a multitude of other challenges when it comes to data security, integrity, and compliance in the cloud, including:
Data exfiltration: Digital assets offer all manner of attack vectors to malicious parties, whether an asset is in the cloud or on-premises. However, multi-cloud deployments pose additional threats since the physical infrastructure falls outside an organization's direct jurisdiction and responsibility. From simple social engineering attacks to highly tailored vulnerability exploits, attackers have a variety of methods for extracting data from the cloud.
Multi-tenancy: Public clouds are shared between many organizations, and responsibility for securing them falls between the cloud provider and those cloud customers. Studies have demonstrated that cloud-hosted data can be accidentally shared with other cloud tenants if security perimeters are not enforced.
Shadow cloud infrastructure: Organizations often end up with abandoned or forgotten cloud instances. This happens naturally as organizations shift, change, and expand, and as roles and responsibilities adjust. It may also occur when well-meaning employees take matters into their own hands in order to get their work done, but go outside of approved IT procedures. The result can be a shadow secondary multi-cloud infrastructure that is unaccounted for and not protected by security policies, yet contains sensitive information.
These cloud compliance and security challenges are having real-time impacts on organizations. In their Cloud Risk Report, CrowdStrike detailed an increase of 95% in cloud exploitation. And there was an even greater increase — 288% — in instances of attackers going after public cloud services directly. Furthermore, the report found that it takes an average of 207 days to even identify such breaches, let alone contain them.
Cloud security issues are lingering, leaving organizations exposed. This becomes a ticking time bomb both with regards to regulatory compliance, financial health, and the overall safety of the organization. And the financial stakes are high. Fines levied by the EU’s General Data Protection Regulation (GDPR) alone can range up to either €20 million or 4% of the business's worldwide annual revenue, whichever is higher.
The multi-jurisdictional world
What's more, each jurisdiction has its own regulations. The security and privacy measures needed to be taken to safeguard data vary around the globe. Some of the major regulations include:
The GDPR and the NIS2 Directive have authority over EU resident data
The Digital Personal Data Protection Act (DPDP) regulates personal data in India
State-by-state, or industry-specific regulations in the United States (e.g. CCPA, HIPAA)
Industry regulations like PCI DSS that control how personal payment data is handled
Ensuring that all cloud instances conform to all relevant regulatory frameworks is a task that is nearly impossible to complete via manual effort. It also can hamper business development as organizations attempt to enter new markets.
Finally, it is difficult to demonstrate compliance without regular audits of all data and systems, which is challenging when organizations rely on multi-cloud deployments across multiple cloud providers.
The inline cloud security solution
What's needed is a preventative approach. Anticipating and preventing all risks and errors in advance is not possible, so a preventative approach should take the form of inline security and compliance checks that occur as cloud instances are deployed, not after mistakes have already been made. Errors should be automatically tracked and mitigated, and compliance enforced automatically, not manually.
Cloudflare incorporates exactly this type of inline cloud security check for customers into its platform. Cloudflare streamlines cloud security compliance for customers by automatically assessing and enforcing secure configurations, helping to ensure robust security and compliance with the most common regulatory frameworks. Cloudflare inspects cloud API traffic, giving organizations enhanced visibility and granular controls, and allowing for a proactive approach in mitigating risks and managing their cloud security posture.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Key takeaways
After reading this article you will be able to understand:
The security and compliance risks of cloud computing
How the use of multi-cloud infrastructure can lead to misconfigurations
Potential solutions to data compliance across multiple clouds and multiple jurisdictions
Related resources
Dive deeper into this topic.
Learn more about securing cloud-based application services in the, 3 challenges of securing and connecting application services whitepaper.