Data compliance risks are a growing concern for enterprises that store and manage sensitive data, as failure to meet codified standards can result in financial penalties, damage to reputation, and loss of customer trust. In fact, according to recent analysis, the cost of non-compliance is 2.71 times greater than the cost of compliance. It’s critical to appreciate that proper compliance also requires us to determine which security controls can be of use. Let’s unpack what data compliance means in this context and how mitigating its risks relates to data security.
Data compliance refers to the formal governance framework used to guide and enforce laws, rules and standards around the possession, organization, storage and administration of digital assets or data. Privacy regulations, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), began to emerge in earnest after 2016 and were implemented to protect consumers from the consequences of data loss, theft, and misuse that have become more common with the rise of digital business practices.
Data compliance, as a whole, involves multiple types and sets of rules that organizations must follow.
Governance. Organization’s internal set of rules and oversight over data storage. It is usually set and enforced by senior leadership. They are often based on industry best practices, such as cloud governance, and are intended to guide employees on how to best carry out their organization’s goals and objectives while still respecting public interest and laws.
Laws and regulations. Here, we refer to the bodies of laws that must be followed, as well as the laws themselves and consequences for not following them.
Contracts. This is a more general legal term associated with the obligations of contracting parties to uphold their terms of agreement. For example, an organization that handles or keeps credit card data most likely has a contract with credit card providers that calls for it to meet particular Payment Card Industry Data Security Standard (PCI-DSS) requirements.
Standards. Standards are highly encouraged best practices. In the world of security measure adoption, these include the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). These can cover a broad range of topics. For example, ISO 27017 focuses on the protection of the information in the cloud services, while ISO 27701 specifically focuses on protecting personal data.
There are three main reasons for why compliance is so hard to carry out.
Compliance is a spectrum. Compliance exists on a spectrum from technical to abstract. Technical compliance objectives are relatively easy to follow and can be easily checked off a list. Subjective compliance requires a degree of interpretation that requires more effort to understand and enact in a meaningful way.
There are many ways to comply. Most companies must comply with a few rules, regulations and standards at once. This mission can be tricky because there may be a lot of information to keep track of, and it can be difficult to ensure that all relevant parties within the organization are aware of and following the appropriate guidelines. In addition, the specific requirements of each rule, regulation, or standard may vary, making it challenging to ensure that all necessary steps are being taken to meet all of the requirements.
Compliance is a continuous effort. This means that organizations must scan and audit their environments periodically for data compliance issues in order to mitigate risks. In other words, compliance never ends. As a result, compliance is never truly "done," and organizations must be prepared to constantly review and update their practices to remain compliant.
Before the widespread adoption of cloud computing, companies typically ensured compliance on-premises by implementing a variety of physical and technical controls. These could include measures like physical security, segregated networks for sensitive data, access controls, encryption and manual audits.
However, digital transformation has introduced new challenges and considerations. In a cloud computing environment, sensitive data is typically stored and managed by a third-party service provider, rather than on an organization’s own premises. These organizations no longer have direct control over the physical and technical controls that are used to protect their data.
It just so happens that, despite the hyperagility it offers, the cloud still comes with a host of complications. For example, things that on the cloud can be made public of decrypted by a simple press of a button, and there are hundreds of combinations to configure a single data store. These configurations often fall on the organization using the cloud provider tools, leaving a potential gap between the place where the cloud’s responsibility of supplying these security tools ends, and where it’s up to the organization to configure and manage its environment in the cloud, using the provider’s tools wisely.
Additionally, the increased use of cloud-based services has led to the development of new compliance standards and regulations specifically for the cloud. These standards, such as the PCI DSS and the GDPR, provide guidance on how to ensure compliance in a cloud environment, and are adding to the many regulations that every company needs to comply with either way.
While it’s important not to conflate security with compliance, it’s still critical to appreciate the close relationship between the two: namely, that compliance is key to securing your environments. Compliance can aid in risk mitigation and data breach prevention by ensuring that a company has sufficient security measures in place to preserve sensitive data and thwart unwanted access to it.
So, how do we navigate the strange, not-so-new cloud world that only seems to grow increasingly complex with each passing day?
Plan ahead to be prepared for regulatory audits. Organize how your security teams can help and work with privacy teams to determine what evidence for compliance you may be asked to provide (such as logs, specific regions constraints, etc.). Not only will this keep you prepared, it might also save time and money on forensics in the event of a data breach.
Use your cloud provider’s tools wisely. Many cloud providers offer auditing, encryption and access information, which are regulatory staples to ensure meeting security requirements.
Leverage your security tools. There is a big potentially blind spot area between the things that the cloud provider is responsible for, and the regulations that are easy for companies to obey with their current tools and knowledge. In this gap DSPM services take place.
For example, Data Security Posture Management (DSPM) services like Eureka can:
We set out to build Eureka’s DSPM platform so that regulatory compliance no longer needs to be such a headache. Eureka provides a bird’s eye view of all cloud data stores and the security industry’s first-ever data-centric policy translation engine. Our engine automatically translates data protection policies around privacy, risk, compliance and security into platform-specific controls that can be implemented into each cloud data store.