Some companies may think of the cloud as just another data center but in a different location. As we learned in the webinar, Achieving Regulatory Compliance in the Microsoft Cloud is not the best way to think of the cloud. While there may be some similarities between having a data center and Azure cloud, doing the same thing in both will not correlate well. The problem is, people are not architecting with the cloud in mind.
With the ever-changing conditions, how will your company be able to quickly adapt cloud controls, standards, and processes to maintain compliance? That was the topic of this webinar with a group of experts that included tools and resources to help develop a roadmap to tackle the compliance needs of the Azure cloud.
Ken Dunham, Principal Consultant at Global Security Consulting Services, hosted the webinar. The guest speakers were Terry Baresh, CBAP, a Cybersecurity Solutions Principal Business Analyst at Securian Financial, Lisa Abshire with ACTS Cloud Managed Security Services, and Brendan Hoffman, an Azure Service Manager at ACTS.
Regardless of their industry, most organizations have to report to unique regulatory bodies with their own set of requirements. Unfortunately, those requirements have become more complicated as data and applications move to the cloud. In addition, companies find themselves lacking direction regarding data loss prevention, data classification, document tagging, legacy data archiving, third-party access, and other issues that may keep your organization from being in good standing with regulatory bodies.
Cybersecurity focuses on applying controls, policies, and standards to ensure that you prioritize resources and protect the right things. There was a paradigm shift in 2013 and 2014. It went from watching the infrastructure perimeter to a broader view of safeguarding data and preparing for breaches. Back then, compliance was just the job of business officers and auditors.
The reality was, the compliance and security teams never actually worked together or sat at the same table. Then the paradigm shifted radically after the significant breaches of 2013 and 2014. This time, executives started to realize that security was their problem and not just something that was solely the responsibility of IT. It was at this point that cyber risk became a business risk.
With this change, businesses found the need to secure data, ensure integrity, confidentiality, and availability. This problem became a business proposition to help organizations that included compliance, privacy, and cybersecurity.
You can’t protect what you don’t know you have. However, you also probably can’t protect everything. This reality is why you have to know what to monitor. The best way to do this is to understand the threats and your vulnerabilities and then calculate the risk associated with those assets. Risk scoring allows you to enable your prioritization of standards.
Part of compliance is being able to identify all of the regulatory and policy requirements. There can be so many different regulatory bodies and governing bodies. You may have to deal with the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Federal Information Security Modernization Act (FISMA), and California Consumer Privacy Act (CCPA) if you are in California. These are just a few of the alphabet soup of regulatory companies that can affect your business.
You need to assess those regulatory requirements and then put controls for those and guardrails to ensure that you are proactive. You need to be able to identify and track threats as they arise. In addition, you need to take proactive measures and have reactive monitoring and auditing of any actions when an event occurs.
From an internal perspective, you will want to have a list of your stakeholders, your internal and external policymakers, and regulators to establish a matrix of roles and responsibilities. You need to know who will do what and who is ultimately accountable if things don’t get done. You’ll also want to establish a security matrix with a high-level view of things you are trying to protect.
Someone (or a group of people) needs to take on the responsibility of documenting your policies and standards. It may be that you are already doing this, but you need to map those policies to your new security matrix. Review guidelines and practices to determine how things currently look, and check for gaps and overlaps. Take the time now to identify those gaps and overlaps and then make the changes you need to make.
This is also a great time to reevaluate the tools that you’re currently using. You may wish to use cloud access security brokers (CASB), and you will need to plan and then prepare for that. You will also need to make sure a person on your team has an established communication plan. This person will need to know what to do, when to do it, and how to do it in the messaging they need to communicate when something happens.
Some of the tools you might use include:
Azure Information Protection: lets you define how your users can classify their documents and emails, how your organization can determine the labels, protections, and physical markings appropriate for your organization, and track where sensitive documents are traveling.
Azure Active Directory Identity Protection: conditional access tool that automates the detection and remediation of identity-based risks. Depending on the acceptable risk levels you define, you can either block access when threats are detected or allow self remediation through multi-factor authentication and self-service password resets.
Microsoft Cloud App Security: Cloud Access Security Broker safeguards an organization’s use of cloud services by forcing enterprise security policies. It acts as a gatekeeper to broker access between enterprise users and cloud resources.
Intune: enables organizations to manage and secure end-user mobile devices. It’s a cloud-based service, and it focuses on mobile device management and mobile application management.
Compliance Center: helps reduce risk and automates your organization’s compliance scoring and mapping, and it lets you respond to legal requirements. Compliance Center allows you to manage compliance across Office 365.
Azure Sentinel: is a security information event management (SIEM) and security orchestration, automation, and response (SOAR) tool. It automates and supports the activities of your SOC teams. Sentinel delivers intelligent security analytics and threat intelligence across your organization. It provides a single solution for alert detection, threat visibility, proactive threat hunting, threat response, and remediation.
The silos are real
You need to break down the silos and realize that cloud compliance is a business problem, not something that can be thrown over the wall to a lawyer when an incident occurs. You must take care of compliance and privacy starting today. It needs to be reviewed regularly and communicated across the organization.
Get the full scoop by downloading the full webinar, Achieving Regulatory Compliance in the Microsoft Cloud.
Learn More About Our Solutions:
Managed Security Services
Services to keep your people, data, and applications secure against cyber threats and maintain your organization’s compliance structures.
Security Modernization Assessment
Understand the cloud security tools, controls and principles that you need delivering an Azure security roadmap and remediation plan to start you on your path.
Cloud Business Case Modeling
ACTS will provide the tools and consulting necessary to generate a business case and roadmap for your desired cloud future state and potential co-funding opportunities.
Azure Health Check
ACTS’ Azure Health Check uncovers gaps & vulnerabilities that create significant reputational, security and revenue risks.
The Complete Guide to Microsoft 365 and Azure Security
Explore Microsoft 365 and Azure security issues that rise to the top and should be part of any comprehensive Global Microsoft Cloud Security plan, including: Least Privilege Security Model, Data Leakage, Compliance, Encryption and Identity.