Cloud security control inheritance
1. Cloud security control inheritance
Until around 2011, organizations using the cloud generally didn’t know the security controls that cloud providers offered. Luckily, much has changed since then. Now, major cloud providers openly publish the controls they already have in place. These are called inherited controls. Because of this, it’s important to understand how inherited cloud security controls relate to frameworks and compliance. It’s important to call out our discussion in this course should not be considered legal advice. Control inheritance is the process of using controls or compliance certifications and audits that are already provided by a cloud service provider. An organization can use inherited controls to meet their control requirements when using a cloud environment, like Google Cloud. Because the controls are supplied by the cloud provider, they can be inherited or incorporated into the overall controls that an organization uses. The use of existing cloud service provider controls enables an organization to inherit them into their compliance process. Remember, organizations adhere to compliance standards. Compliance standards are typically established by their governing entities, both internal and external. If an organization cannot provide evidence of compliance, they may be held accountable. For example, an internal governing entity might be the Board of Directors or a company policy. Examples of external entities include regulators and customers that require compliance. Lack of internal compliance may result in a less secure cloud environment. Lack of external compliance may result in a failure to secure or retain a commercial relationship with a business, or incur fines and penalties by a regulatory body. Frameworks are consensus agreements that outline the minimum acceptable level of security. They offer guidance and define scope. As a cloud security professional, you can use frameworks to help organize the security effort and help meet compliance objectives. Frameworks help you to evaluate and select appropriate controls, including inherited controls. A framework is a guide. It doesn’t tell you what inherited controls a service provider will give you, but it will prompt you to ask your cloud provider the right questions. You can get the most out of your inherited controls by identifying alignment between compliance frameworks and cloud vendor inherited controls. Recognizing and adapting inherited controls to business requirements will enable you to achieve compliance within your organization. For example, if an organization is planning to offer protected health information, or PHI, handling services on the cloud, knowing that the cloud service provider is certified in a HIPAA-compliant framework allows the organization to build on their evidence of controls in the cloud platform. First, it’s important to understand the business risks and legal requirements of your industry and organization. For example, healthcare or government organizations may have specific laws and requirements that you will need to comply with. It’s also important to understand the business expectations that customers may place on your organization. Once you understand industry requirements, legal requirements, and commercial expectations, you can choose frameworks and or compliance certification programs to help guide your cloud security team. By identifying the inherited controls that align with your chosen framework, your team can determine how you’ll build or configure tools and services to meet business objectives. For example, imagine an organization plans to control and manage card user data. It would be a good idea for the organization to choose a cloud service provider that meets PCI DSS requirements. The organization will inherit those controls. The organization can use the cloud service provider’s audited controls and may then add their own controls on top to achieve the full set of required controls. Using inherited controls and the controls that your team has put into place you can secure assets and meet compliance obligations. Here’s a pro tip before we go: Frameworks are tools to help you meet your security goals. They are not the end goal themselves.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.