compliance

Moving your database to the cloud is becoming not just a viable option for many organizations, but a best practice for availability, flexibility, recovery and even security. Cloud vendors are clear about the need for shared responsibility, and as an IT manager, you need to know exactly what your responsibility is.

When choosing a cloud-based database, it’s obvious that you need to choose a compliant solution, but what does that mean? Several cloud vendors have compliance-as-a-service offerings, but what does that include?

In this article, we explain everything you need to know about making sure your cloud-based database is compliant and serves your needs.

Compliant versus compliance-as-a service

The first important distinction is knowing what vendors are offering when they say you are getting a compliant service.

  • Compliant servers: Cloud vendors provide explicit lists of the certifications and compliance regulations that you can comply with when using their services and cloud databases. However, it does not mean that by using their service you are compliant, rather it only enables you to run a compliant service on the servers you’ve purchased from the vendor.
  • Monitoring and reporting: Some compliant cloud databases may include a variety of monitoring services and reports that align with a variety of industry standards. Check per vendor exactly what this means. You may get anything from basic APIs all the way through complete monitoring and reports.
  • Compliance as a service: Compliance as a service is offered for specific standards, such as PCI-DSS or HIPAA. Typically, what this means is that, in addition to the servers, you are purchasing a variety of compliance services such as data encryption, disaster recovery, reporting, vulnerability scanning, etc. Each compliance-as-a-service vendor offers something a bit different, so you need to be vigilant about what you are getting. None of the vendors we observed are providing data masking or separation of duties, so even compliance-as-a-service is rarely a complete solution for compliance.

What does compliance mean?

What is compliance? First of all, there are lots of different compliance standards. Here is only a partial list of the compliance standards we’ve seen mentioned in correlation to cloud computing.
  • Cloud Security Alliance CCM
  • Control Objectives for Information and related Technology (COBIT)
  • Criminal Justice Information System Database (CJIS)
  • DIACAP
  • European Data Protection Directive 95/46/EC
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Risk and Authorization Management Program (FedRAMP)/ Federal Information Security Management Act (FISMA)
  • ISO/IEC 27001:2005 Audit and Certification
  • Federal Information Processing Standard (FIPS)
  • Gramm-Leach-Bliley Act (GLBA)
  • HIPAA and HITECH Act
  • International Traffic & Arms Regulations (ITAR)
  • Life Sciences GxP Compliance
  • MTCS Tier 3 Certification
  • Payment Card Industry (PCI) Data Security Standards (DSS)
  • Sarbanes-Oxley (SOX)
  • SB-1386
  • SOC 1, SOC 2, ,and SOC 3,  SSAE 16/ISAE 3402 Attestations (formerly SAS 70)
  • United Kingdom G-Cloud OFFICIAL Accreditation
  • SSAE 16
  • U.S. Commerce Department Safe Harbor Certification:
  • MPAA

Obviously, with a list that long, there isn’t only one solution that covers everything or one explanation of what compliance means. At the same time, most of the standards cover the following basics for databases:

  • Protection of personally identifiable information (PII)
  • Protection of financial information such as credit cards, etc.
  • Protection of private data, such as health and financial information
  • Assurance that no tampering of data was executed.
  • Tracking and control of all permission and users with access to the database, including tracking of all activities by authorized users
  • Maintenance of schema and data changes
  • Tracking and documentation of all changes made to the database
  • Document database schema and access permissions
  • Ability to revert to previous versions of the database in case of issues
  • Data mapping and knowledge of where data resides
  • Backup and disaster recovery of critical data
  • Monitoring of any suspicious behavior and ability to perform forensic tracking if any breach was discovered

Your organization is probably faced upholding at least some or all of these regulatory requirements. At a minimum, you need to know who is using your database, what access they have, and what activities they performed on the database.

HexaTier helps enterprises stay aglined with PCI-DSS, HIPAA and SOX compliances  with line-by-line assessments of each requirement.

Doesn’t having a compliant database server mean that your compliant?

No.
If you purchase a cloud service using a server that is compliant, you are not compliant. You are still responsible for most of the compliance activities noted above.

What you do get is physical security, disaster recovery, basic operating system security, and perhaps some other services like automatic patching monitoring and even possibly encryption. You need to make sure you know exactly what your cloud vendor is providing and compare it to the compliance standards your organization needs.

What is Compliance as a Service?

Several vendors offer compliance as a service, which means that you get many of the basic requirements covered. Some of the compliance-as-a-service vendors were extremely basic, as they only provide encryption and disaster recovery. Many solutions offer monitoring and reporting in a format that aligns with specific standards requirements. None of the solutions offered real-time interception of attacks, separation of duties, or mapping of different schema or sensitive data on the database.
Even the most comprehensive compliance-as-a-service vendor claimed only to cover 90% of the potential vulnerabilities in areas such as auditing, monitoring, remediation, incident response, and gap analysis. Although, 90% may sound good, but in the area of security and compliance, it’s the same as 0%.
Either you are compliant, or not. If not, you will get fined. Either you are secure or you get breached. 90% security is useless if even one malicious attacker manages to copy your database outside the organization.
We’re not saying that you shouldn’t use compliance-as-a-service. The features they offer are useful and important. However, in most cases, to be compliant, you will need to supplement it with other solutions.
If you are considering compliance as a service, you can expect to have a combination of any of the following services.
  • Authentication
  • Basic application security (WAF, webserver, OS, DB patching)
  • Backup and restore
  • Certification
  • Data integrity
  • Database patching
  • Disaster recovery
  • Encryption at rest
  • Encryption in transit
  • Monitoring and reporting
  • Network security
  • Perimeter security
  • Physical security
  • SSL
  • Tokenization
  • Vulnerability scans

Some of the services are basic, while some are more comprehensive. Make sure to choose the right service according to your specifications. In any case, you are most likely going to find that compliance as a service is missing some critical elements, as we point out here below.

What’s missing from “compliance as a service”?

You need to make your compliance-as-a-service offering provides security measures like: separation of duties, data discovery, and real-time blocking of attacks/data masking services. Especially since, most industries require standard separation of duties and monitoring of all user access to the database. If your service does not include these capabilities, it’s absolutely crucial to use HexaTier’s database security feature which includes a database firewall – which allows you to control all user access on a granular level.

Here are a list of services that you need to make sure you have in addition to your compliance-as-a-service offering:

  • Database access control
  • Separation of duties
  • Annual risk assessment
  • Application management
  • Change control
  • Data discovery
  • Data masking
  • Incident response
  • Policy creation and enforcement
  • Real-time data protection
  • Repair of vulnerabilities
  • Personnel training
  • Service configuration

Cloud-based compared to on-premise

Using a cloud-based database brings in a number of other elements that aren’t present with on-site databases. The following issues need to be considered when creating the specifications for your cloud database and in making sure you are compliant.

  • Data residency: Some regulations require data to be stored in particular territories or by entities covered by laws in specific regions. Most cloud providers can offer guarantees of where the data is stored.
  • Data access: It is important to ensure that the cloud vendor is not able to access the database.
  • De-provisioning: When an employee leaves, separate procedures need to be implemented for cloud-based services. In on-premises systems, many companies have automated offboarding capabilities that will not be available in the cloud.
  • Encryption of data can be implemented on the database when it’s at rest, and also in the transit of data from the database. Make sure the encryption keys are stored in a separate server from the database you are using.
  • Multi-tenancy: For highly secure systems it is recommended not to host your data on a shared server.
  • Negotiation: It is important to discuss your needs with your cloud vendor and/or a security consultant. Do not make the mistake of thinking that the vendor has fixed offerings. It’s often possible to negotiate for a custom solution or pricing that is better for your needs.
  • SLA and continuity: Make sure you understand the service level agreement and that it is compatible with your needs. Consider what might happen if the cloud vendor is compromised and what kind of backup plan you may need.

Conclusion

Cloud vendors are offering a wide variety of compliant servers for different industry standards, but it’s important not to be lulled into thinking that compliant servers will resolve your compliance issues. In fact, even compliance as a service is lacking in a number of critical functions for ensuring compliance.
Make sure your company knows exactly what level of compliance you need and that you follow these guidelines to make sure you are truly protecting your cloud-based database.