云合规性——或云安全合规性——是确保云环境的过程, 以及其中发生的操作, 坚持具体 监管标准 影响企业所在行业的. 通常有许多云遵从性标准,企业必须与之保持一致, 和 it is incumbent upon security compliance personnel to configure 和 use cloud services in a way that complies with the applicable directives contained within the 云安全联盟云控制矩阵(CSA CCM).
据云安全联盟称, “CCM可以用作系统评估云实施的工具, 和 provides guidance on which security controls should be implemented by which actor within the cloud supply chain.“因此, 这取决于公司所从事的行业, there are powerful pre-existing frameworks teams can follow to ensure they stay compliant as the majority of their operations move into the cloud.
自动化云遵从性 在今天的环境中,任何可能的地方都是必要的, 尤其是在医疗等受到严格监管的行业, 金融服务, 和能源. Worthwhile cloud compliance tools should be able to detect compliance drift from the specified organizational st和ards 和 quickly reset environments to an overall “state of good.“这不仅节省了时间和金钱, 但可以降低与监管机构发生冲突的几率.
From state/territory-specific to nationally recognized compliance st和ards affecting multiple industries, 有许多法律上要求的监管框架——有些是大力建议的监管框架. Let’s take a look at some of the more commonly known st和ards to which a wide swath of overall global commerce must adhere:
这些基准是由互联网安全中心(CIS)创建的, a not-for-profit organization that helps organizations improve their security 和 compliance programs. CIS旨在创建社区开发的安全配置基线,或者 独联体基准,用于IT和安全产品. 这些基准测试涵盖了应用程序、云计算平台、操作系统等等.
欧盟 一般资料保护规例(GDPR) 要求保护欧盟公民的个人数据, 无论组织的地理位置或数据如何. This includes 技术 和 organizational measures that are regularly updated to ensure the amount of security is appropriate to the current level of risk.
的 联邦风险与授权管理计划(FedRAMP) is a US federal government initiative that provides a st和ardized approach to security assessment, 授权, 以及对云服务的持续监控. FedRAMP’s aim is for companies to leverage modern cloud solutions 和 technologies safely 和 securely – particularly where federal information is involved.
这个标准来自于 美国注册会计师协会,并定义了企业应如何管理客户数据的报告指南. 这些报告可以帮助组织管理供应商供应链, 实施风险管理流程, 和更多的. 的y are aimed at a wide swath of stakeholders 和 should contain digestible, st和ardized language.
的 健康保险流通与责任法案(HIPAA) requires businesses that h和le patient medical records 和 other protected health information (PHI) to effectively safeguard that information against security breaches. HIPAA安全规则详细说明了管理, 技术, 电子PHI (ePHI)的物理控制. 由于该标准涵盖的数据的敏感性, 美国政府在2005年要求遵守安全规定. 特别值得注意的, HIPAA第二部分于2022年发布,主要保护“身份记录”, 诊断, 预后, or 治疗 of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, 培训, 治疗, 康复, 或研究, 这是进行的, 监管, 或直接或间接得到美国任何部门或机构的协助.”
ISO / IEC 27001 is a cloud security compliance management st和ard jointly published by the International Organization for St和ardization (ISO) 和 the International Electro技术 Commission (IEC). ISO / IEC 27001 specifies security management best practices 和 comprehensive security controls for information security management systems. 它是一些组织选择实施的可选标准, both to benefit from the best practices it contains 和 to reassure customers that a comprehensive risk management solution is in place.
把最后一点再深入一点, it’s often a good idea for an organization to take a compliance program a step beyond what’s required, 制定针对其业务需求和独特环境的额外措施. Building these types of custom guidelines to overlay onto existing compliance programs is a proactive measure that will yield benefits beyond simply remaining compliant to the required regulations.
Things have changed from the days of old when cloud operations were novel 和 no one understood the complexity of tuning those operations to their specific organization or remaining in compliance with 监管标准 of the day. 然而, there are complexities to be aware of that come with the many benefits of a move to cloud operations.
当一个组织经历了向云操作的“巨大转变”时, 一个关键的挑战是缺乏跨环境的统一可见性. 这个问题也可以扩展到人类用户, 就追踪谁有权访问数据而言, 他们在哪里可以访问, 以及他们这样做的频率.
云泄露最常见的原因是配置错误. 高德纳甚至指出,95%的网络安全漏洞是由云配置错误造成的. 有些是由人类引起的, 其他情况的发生是因为假设平台中的默认值会捕获问题, 还有一些来自于让资源更容易获取的愿望. Organizations must implement controls to prevent or detect 和 remediate these errors to avoid a data breach.
通常, third-party auditors must attest to the controls an organization has put in place that help it align with certain 监管标准. 要求, organizations must provide letters of attestation from those third parties that validate secure cloud operations practices, 以及符合特定行业监管标准的认证. 认证通常有效期为几年, 而认证更多地说明了合规性的连续性和持续性.
Accelerating into the cloud without caution often brings complexities that can cause more harm than good. 云环境是非常短暂的,而遗留/本地系统则不那么短暂. 当一个组织加速进入云, 他们通常不知道该如何处理这些遗留系统, 但它们仍然需要管理. 对于DevOps团队来说,这就是事情变得棘手的地方. Making things even more complex are exemptions – a resource or workload that is exempt from a given st和ard. 的 lack of a mechanism to exempt a resource can lead to many false positives that could cause unwanted 和 costly disruptions.
Let’s now take a look at some best practices 和 overall good hygiene that can counteract some of the bigger challenges in aligning to 监管标准 和 maintaining compliance in the cloud.
数据加密 将数据的原始格式转换为不可读的格式. 服务,如 谷歌云平台(GCP) 总是在收到客户数据后自动加密, 但是在它被写入磁盘并实际存储之前. Another example is that of credential encryption by cloud security providers; there are often several layers of decryption that must occur before those credentials can be used.
说到凭据,原则是 最低权限访问(LPA) ensures that access is granted to only the humans or programs that absolutely need to work on a specific task in the cloud. Solutions leveraging LPA will typically employ automation to tighten or loosen permissions based on the user's role.
落实 零信任 是否有一种方便的方法可以帮助保持云环境的超级安全. 每一个人, 端点, 移动设备, 服务器, 网络组件, 网络连接, 应用程序工作负载, 业务流程, 数据流本质上是不可信的. 在执行每个事务时,它们都必须连续地进行身份验证和授权, 所有的行为都必须是实时的,事后的审计.
的 principle of a well-architected framework in cloud operations essentially contends that there should be an agreed-upon approach for stakeholders to implement 和 evaluate a cloud architecture that best suits their business needs 和 priorities. 的 AWS架构良好的框架 也许是这个原则最著名的例子, 并使客户能够识别高风险问题.