Dedicated Cloud Hosts: Security and Compliance Considerations
Dedicated cloud hosting is growing in popularity, and is becoming a viable option for larger enterprises and organizations with compliance requirements. In this article, Ill discuss how organizations can enjoy the benefits of cloud hosting, while ensuring compliance with standards like GDPR, PCI DSS and HIPAA, understanding security risks inherent in a cloud environment, and addressing them.What is Dedicated Cloud Hosting?Dedicated cloud hosting involves selling or leasing a physical server, deployed in a hosting providers data center, to a customer.In most cases, the server will include a hypervisor, allowing it to integrate with the providers cloud computing environment. Unlike in traditional hosting scenarios, servers can be instantly provisioned, and quickly decommissioned when no longer needed.Another benefit of dedicated cloud hosting over traditional hosting scenarios is that it guarantees dedicated hardware, with full control over its configuration. Customers have full control over cloud servers on a dedicated cloud host, with the flexibility to configure and customize it as needed.Dedicated cloud hosting provides capabilities like:Attaching high performance block storage to the serverCustomizing hardware configuration on the server and scaling vertically as neededCustomizing DNS and networkingCreating Snapshots for cloning or testing purposesCreating Backups Onsite and Offsite while integrating with the organizations existing backup plansSetting up custom replication and high availabilityRegulatory Compliance for Cloud HostingIf your organization is subject to regulations or industry standards, you need to make sure your cloud hosting is compatible with those standards. Lets briefly review the compliance requirements for three important standards, and basic steps to ensuring compliance:GDPRthe European Unions data privacy regulation, affecting any organization that does business with EU citizensPCI DSSa standard created by the payment card industry to ensure that cardholder data is properly protectedHIPAAa US regulation affecting organizations in the healthcare industry, with strict requirements for treatment of protected health information (PHI)GDPR Compliant Cloud HostingWhat are GDPR requirements for cloud hosting?Here are some GDPR requirements that impact cloud hosting:You can not process, use, or store personal data of EU citizens without consent and the use of this data is limitedRight to be forgotten, meaning that EU citizens can request to have their personal details removedHow to comply with GDPRBoth you and your cloud service provider need to be compliant with GDPR:Select a GDPR-compliant providerDetermine your GDPR responsibilitiesall cloud providers should have a shared responsibility model. Typically, your organization is responsible for securing your data and workloads, while the cloud provider is responsible for infrastructureSeparate data that is protected under GDPRif possible, ensure that GDPR-protected data is not mixed with non-protected data in the same databaseApply security controls and deletion workflows to GDPR-protected dataPCI DSS Compliant Cloud HostingWhat are PCI DSS requirements for cloud hosting?According to the PCI SSC Cloud Computing Guidelines, PCI DSS requirements for cloud hosting depend on the following factors:Business use of cloud services you have deployedWhich requirements under PCI DSS are taken care of by the cloud providerScope of cloud provider systems that are PCI DSS compliantSpecific systems or services used by the organization, including services specifically used for compliance, such as security servicesHow to comply with PCI DSSThe guidelines detail the following measures to ensure cloud services are PCI compliant:Perform a risk assessmentConduct due diligence of cloud services you are usingCheck Service Level Agreements (SLAs) to ensure they are appropriate for PCI DSS requirementsPerform a review of all cloud and managed services selected and ensure they meet PCI DSS standards for your level of PCI DSS requirementsEnsure you have an appropriate business continuity/disaster recovery (BC/DR) plan for cloud-deployed servicesRead the full guidelines for more informationtake special note of the different requirements for cloud providers and customers.HIPAA Compliant Cloud HostingWhat are HIPAA requirements for cloud hosting?Cloud computing is not explicitly covered by the HIPAA Act, but it appears in its Privacy and Security Rules. HIPAA allows healthcare organizations to move PHI to public or private cloud platforms, provided that:The cloud provider signs a business associate agreement (BAA)They ensure the providers cloud environment is HIPAA compliantThey put the relevant safeguards in place for their data and applications to comply with HIPAA RulesHow to comply with HIPAAWhen selecting a HIPAA-compliant cloud hosting environment, ensure it includes the following security and disaster recovery controls:Firewall and intrusion prevention system (IPS)Ability to securely connect to the cloud using encrypted VPNData at rest must be encrypted, and stored in a HIPAA-compliant data centerMulti-factor authenticationFull audit trail with detailed event logsHigh resilience with SLA of 100% server uptimeBackups with off-site storage and automated/assisted data recoveryCloud Hosting Security RisksData LossMany organizations face significant risks when storing data in the cloud. Cloud storage services can easily be exposed to public networks, and if they are not securely configured, this can result in data loss. Multiple users and organizations can receive access to cloud systems, and improper management of credentials and privileges can result in data breaches.In addition, social engineering attacks, accidental file deletion, errors in cloud automation, and the use of personal devices to access cloud services can result in data loss.Unsecured APIsCloud service providers offer powerful application programming interfaces (APIs) to manage and automate cloud services. These interfaces are well documented and readily available to cloud users, but also to potential attackers.If customers do not properly secure cloud APIs, attackers can exploit weak authentication or other security flaws, to access and steal sensitive data. In some cases, attackers can leverage API weaknesses to compromise cloud infrastructure, abuse cloud resources, and disrupt operations.DDoS attacksDistributed denial of service (DDoS) attacks are designed to flood servers with fake traffic, overwhelming the server and ensuring it cannot respond to legitimate requests.Cloud computing is based on shared distributed computing resources, which makes it much easier for attackers to carry out DDoS. A particular danger of cloud deployments is that attackers will leverage an organizations own cloud resources to wage DDoS attacks against others, creating legal exposure and other risks for the organization.Cloud Hosting Security Best PracticesEnsure VisibilityCloud environments have a large number of dynamic components, including data volumes, compute instances, and containers.When using cloud hosting, it is important to establish an inventory of all current and historical cloud assets to prevent unchecked growth and eliminate the unnecessary spread of assets, each of which can represent a threat surface. Cloud monitoring strategies that allow you to quickly and reliably see deployed assets are the first steps to protecting your assets.User Identity and Access Management (IAM)Cloud computing extends network security beyond the traditional corporate network. Users can access cloud resources from many devices and locations, requiring strong access control.Two-factor authentication (2FA) and single sign-on (SSO), provided by all major cloud providers, enable granular management of roles and privileges, which can help create consistent, storing access controls between on-premises and cloud environments.Implement Endpoint SecurityCloud systems are, by definition, accessed remotely. Even if a cloud system is highly secured, the ability to access it from endpoints like laptops and mobile devices can compromise security. Endpoints can easily be compromised by attackers and may be used as entry points to sensitive cloud systems.To ensure that endpoints do not represent a security threat, organizations should:Deploy endpoint security tools on corporate-owned devicesControl allowed applications on user devices using whitelists and blacklistsMonitor endpoints to enable detection and response to threatsAchieve central control and visibility of endpoints across multiple clouds, and the on-premise environmentSet policies in one place for endpoints across the organizationCarefully review bring-your-own-device (BYOD) policies, and if it is not possible to deploy endpoint security solutions on BYOD devices, control or limit the way in which these devices can connect to cloud servicesUse Backup and Recovery SolutionsIn the cloud, because systems are heavily integrated and automated, and operate at a large scale, one accidental or malicious command can result in catastrophic data loss. Ransomware is also a major threat in the cloudfor the same reasons, it can spread faster and do more damage than it would on-premises.To protect data in the cloud, set up continuous, automated backups using snapshots or similar mechanisms, and store backups as far away as possible from your production deployment. Backups should be in a separate cloud account, or even on a different cloud provider, to prevent them from being accessed by compromised accounts.Ensure you have automated and tested recovery procedures, letting you recover business data quickly in case of an attack or data loss event.In addition, use automated workflows to archive data that is not frequently accessedarchives can be protected with stringent security measures without disrupting productivity.ConclusionIn this article, I briefly discussed how to use cloud hosting while remaining compliant with GDPR, PCI DSS, and HIPAA. In addition, I covered several security best practices that can help larger organizations make use of the benefits of cloud hosting:Ensure visibility of assets and storage services running in your cloud environmentLeverage cloud-based MFA for user controls to minimize the risk of stolen credentialsUse endpoint security for devices accessing your cloud servicesPrevent data loss by leveraging cloud-based backup and recoveryWe hope this helps you stay secure and compliant as you transition your hosting services to the cloud.Get Help with HIPAA ComplianceAtlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.