Some cloud vendors are charging extremely high fees for basic security features, such as audit logs, as the opportunity to hold their customers’ hostage for increased revenue knowing the customer is in non-compliance with industry regulations. Customers of these cloud vendors have a difficult choice — either pay the high fees for a very basic security component or risk non-compliance with an industry regulation. How can cloud vendors and customers, especially those in highly regulated industries, break free from security and compliance challenges? This blog post also reviews key ‘Lessons Learned’ in working with your cloud vendor on your security and compliance posture in relation to audit logs.
Is Your Cloud Vendor Taking Your Security & Compliance Posture Hostage?
As the cloud supports mission critical business applications, cloud vendors are being pressed on their ability to support data protection, data integrity and comply with governance frameworks. For many cloud vendors, they’ve lacked the vision and foresight to build in the security and workflows that can support these frameworks and will be unable to fulfill on their customers’ demands. These vendors will fail to make the transition to the world of mission or business critical cloud computing.
For leading cloud vendors, their foresight has positioned them well for cloud-based mission critical business. Microsoft’s Office 365 for example has built in security frameworks, relative transparency on information related to availability and data integrity, and Microsoft provides tremendous flexibility in accessing security related data such as real-time audit logs. Microsoft provides API’s and supports businesses and third-party ISV’s in adding value through these API’s. Further, Microsoft provides these capabilities for no-charge if you own business-enterprise editions of their products. In my opinion, Microsoft has struck a great balance of delivering out-of-the-box business critical services in Office 365 while promoting their business interests and embracing the ISV community to add value.
Not all cloud vendors are as visionary as Microsoft. Some vendors charge extremely high fees for basic security features such as audit logs as the opportunity to hold their customers’ hostage for increased revenue knowing the customer is in non-compliance with industry regulations such as PCI, HIPAA, FERMA and security frameworks related to FINRA and the FCA in the UK. Customers of these cloud vendors have a difficult choice — either pay the high fees for a very basic security component or risk non-compliance with an industry regulation, as well as losing basic application security capabilities which could result in stolen data that “leaves no trace” because there were no audit logs enabled.
Every regulatory security framework in the world calls for the production of audit logs for applications holding personal information, so they should be provided by cloud vendors at low or no cost. But having the audit logs is not enough either. PCI, HIPAA, SOC 2, FERMA and FCA are all regulatory examples which require the monitoring of access to personal information through the continuous examination of audit logs. This means there must be automated monitoring software which looks for known bad-behaviors and unusual behaviors which are going to vary by industry, healthcare, education and finance in these examples, and there are variations on regulations by country, state, province or economic region, EU for example.
For global cloud vendors, they will need ISV support and should be strongly supporting ISV’s through well published API’s and making their audit logs available to their customers at low or no-charge.
Lessons Learned / Conclusions
For customers considering a cloud vendor, you must avoid Stockholm Syndrome … consider the security and compliance controls and capabilities upfront before you get locked-in.
Ask the right questions: Just because a cloud vendor says they are ensuring security and regulatory compliance doesn’t mean they are. Since many cloud services are deployed outside of IT by business-minded users, these employees must be prepared to understand the security and regulatory risks associated with cloud deployments to avoid putting their company at risk of a breach, fine or lawsuit.
Stolen data that leaves no trace: Audit logs and audit trails – must be part of a basic security protocol — without them there can be no monitoring and no forensics to figure out what happened and by whom. Cloud vendors should absolutely provide audit logs at low to no cost.
Compliance requires automated monitoring: PCI, HIPAA, SOC 2, FERMA and FCA are all regulatory examples which require the monitoring of access to personal information through the continuous examination of audit logs.
Look for ISVs: Many cloud vendors work with ISV partners to provide affordable and easy-to-use solutions that solve the security and compliance issues they lack.
As more businesses, especially in highly regulated industries like healthcare and financial services, increasingly move to the cloud, cloud vendors must ensure that security and compliance offerings are transparent, flexible, accessible and affordable for their customers. They need to understand that their end-user is more than likely not a security or compliance professional, and by not providing adequate or confusing messaging, they are putting their customers at risk. There is a way, as evidenced by Microsoft, to strike a perfect balance between business-interest, customer-interest, and a solid partner program.