In this article, we explain everything you need to know about making sure your cloud-based database is compliant and serves your needs.
Compliant versus compliance-as-a service
The first important distinction is knowing what vendors are offering when they say you are getting a compliant service.
- Compliant servers: Cloud vendors provide explicit lists of the certifications and compliance regulations that you can comply with when using their services and cloud databases. However, it does not mean that by using their service you are compliant, rather it only enables you to run a compliant service on the servers you’ve purchased from the vendor.
- Monitoring and reporting: Some compliant cloud databases may include a variety of monitoring services and reports that align with a variety of industry standards. Check per vendor exactly what this means. You may get anything from basic APIs all the way through complete monitoring and reports.
- Compliance as a service: Compliance as a service is offered for specific standards, such as PCI-DSS or HIPAA. Typically, what this means is that, in addition to the servers, you are purchasing a variety of compliance services such as data encryption, disaster recovery, reporting, vulnerability scanning, etc. Each compliance-as-a-service vendor offers something a bit different, so you need to be vigilant about what you are getting. None of the vendors we observed are providing data masking or separation of duties, so even compliance-as-a-service is rarely a complete solution for compliance.
What does compliance mean?
- Cloud Security Alliance CCM
- Control Objectives for Information and related Technology (COBIT)
- Criminal Justice Information System Database (CJIS)
- European Data Protection Directive 95/46/EC
- Family Educational Rights and Privacy Act (FERPA)
- Federal Risk and Authorization Management Program (FedRAMP)/ Federal Information Security Management Act (FISMA)
- ISO/IEC 27001:2005 Audit and Certification
- Federal Information Processing Standard (FIPS)
- Gramm-Leach-Bliley Act (GLBA)
- HIPAA and HITECH Act
- International Traffic & Arms Regulations (ITAR)
- Life Sciences GxP Compliance
- MTCS Tier 3 Certification
- Payment Card Industry (PCI) Data Security Standards (DSS)
- Sarbanes-Oxley (SOX)
- SOC 1, SOC 2, ,and SOC 3, SSAE 16/ISAE 3402 Attestations (formerly SAS 70)
- United Kingdom G-Cloud OFFICIAL Accreditation
- SSAE 16
- U.S. Commerce Department Safe Harbor Certification:
Obviously, with a list that long, there isn’t only one solution that covers everything or one explanation of what compliance means. At the same time, most of the standards cover the following basics for databases:
- Protection of personally identifiable information (PII)
- Protection of financial information such as credit cards, etc.
- Protection of private data, such as health and financial information
- Assurance that no tampering of data was executed.
- Tracking and control of all permission and users with access to the database, including tracking of all activities by authorized users
- Maintenance of schema and data changes
- Tracking and documentation of all changes made to the database
- Document database schema and access permissions
- Ability to revert to previous versions of the database in case of issues
- Data mapping and knowledge of where data resides
- Backup and disaster recovery of critical data
- Monitoring of any suspicious behavior and ability to perform forensic tracking if any breach was discovered
Your organization is probably faced upholding at least some or all of these regulatory requirements. At a minimum, you need to know who is using your database, what access they have, and what activities they performed on the database.
HexaTier helps enterprises stay aglined with PCI-DSS, HIPAA and SOX compliances with line-by-line assessments of each requirement.
Doesn’t having a compliant database server mean that your compliant?
What you do get is physical security, disaster recovery, basic operating system security, and perhaps some other services like automatic patching monitoring and even possibly encryption. You need to make sure you know exactly what your cloud vendor is providing and compare it to the compliance standards your organization needs.
What is Compliance as a Service?
- Basic application security (WAF, webserver, OS, DB patching)
- Backup and restore
- Data integrity
- Database patching
- Disaster recovery
- Encryption at rest
- Encryption in transit
- Monitoring and reporting
- Network security
- Perimeter security
- Physical security
- Vulnerability scans
Some of the services are basic, while some are more comprehensive. Make sure to choose the right service according to your specifications. In any case, you are most likely going to find that compliance as a service is missing some critical elements, as we point out here below.
What’s missing from “compliance as a service”?
You need to make your compliance-as-a-service offering provides security measures like: separation of duties, data discovery, and real-time blocking of attacks/data masking services. Especially since, most industries require standard separation of duties and monitoring of all user access to the database. If your service does not include these capabilities, it’s absolutely crucial to use HexaTier’s database security feature which includes a database firewall – which allows you to control all user access on a granular level.
Here are a list of services that you need to make sure you have in addition to your compliance-as-a-service offering:
- Database access control
- Separation of duties
- Annual risk assessment
- Application management
- Change control
- Data discovery
- Data masking
- Incident response
- Policy creation and enforcement
- Real-time data protection
- Repair of vulnerabilities
- Personnel training
- Service configuration
Cloud-based compared to on-premise
Using a cloud-based database brings in a number of other elements that aren’t present with on-site databases. The following issues need to be considered when creating the specifications for your cloud database and in making sure you are compliant.
- Data residency: Some regulations require data to be stored in particular territories or by entities covered by laws in specific regions. Most cloud providers can offer guarantees of where the data is stored.
- Data access: It is important to ensure that the cloud vendor is not able to access the database.
- De-provisioning: When an employee leaves, separate procedures need to be implemented for cloud-based services. In on-premises systems, many companies have automated offboarding capabilities that will not be available in the cloud.
- Encryption of data can be implemented on the database when it’s at rest, and also in the transit of data from the database. Make sure the encryption keys are stored in a separate server from the database you are using.
- Multi-tenancy: For highly secure systems it is recommended not to host your data on a shared server.
- Negotiation: It is important to discuss your needs with your cloud vendor and/or a security consultant. Do not make the mistake of thinking that the vendor has fixed offerings. It’s often possible to negotiate for a custom solution or pricing that is better for your needs.
- SLA and continuity: Make sure you understand the service level agreement and that it is compatible with your needs. Consider what might happen if the cloud vendor is compromised and what kind of backup plan you may need.