Dedicated cloud hosting is growing in popularity, and is becoming a viable option for larger enterprises and organizations with compliance requirements. In this article, I’ll discuss how organizations can enjoy the benefits of cloud hosting, while ensuring compliance with standards like GDPR, PCI DSS and HIPAA, understanding security risks inherent in a cloud environment, and addressing them.
What is Dedicated Cloud Hosting?
In most cases, the server will include a hypervisor, allowing it to integrate with the provider’s cloud computing environment. Unlike in traditional hosting scenarios, servers can be instantly provisioned, and quickly decommissioned when no longer needed.
Another benefit of dedicated cloud hosting over traditional hosting scenarios is that it guarantees dedicated hardware, with full control over its configuration. Customers have full control over cloud servers on a dedicated cloud host, with the flexibility to configure and customize it as needed.
Dedicated cloud hosting provides capabilities like:
- Attaching high performance block storage to the server
- Customizing hardware configuration on the server and scaling vertically as needed
- Customizing DNS and networking
- Creating Snapshots for cloning or testing purposes
- Creating Backups Onsite and Offsite while integrating with the organization’s existing backup plans
- Setting up custom replication and high availability
Regulatory Compliance for Cloud Hosting
If your organization is subject to regulations or industry standards, you need to make sure your cloud hosting is compatible with those standards. Let’s briefly review the compliance requirements for three important standards, and basic steps to ensuring compliance:
- GDPR—the European Union’s data privacy regulation, affecting any organization that does business with EU citizens
- PCI DSS—a standard created by the payment card industry to ensure that cardholder data is properly protected
- HIPAA—a US regulation affecting organizations in the healthcare industry, with strict requirements for treatment of protected health information (PHI)
GDPR Compliant Cloud Hosting
What are GDPR requirements for cloud hosting?
Here are some GDPR requirements that impact cloud hosting:
- You can not process, use, or store personal data of EU citizens without consent and the use of this data is limited
- “Right to be forgotten”, meaning that EU citizens can request to have their personal details removed
How to comply with GDPR
Both you and your cloud service provider need to be compliant with GDPR:
- Select a GDPR-compliant provider
- Determine your GDPR responsibilities—all cloud providers should have a shared responsibility model. Typically, your organization is responsible for securing your data and workloads, while the cloud provider is responsible for infrastructure
- Separate data that is protected under GDPR—if possible, ensure that GDPR-protected data is not mixed with non-protected data in the same database
- Apply security controls and deletion workflows to GDPR-protected data
PCI DSS Compliant Cloud Hosting
What are PCI DSS requirements for cloud hosting?
According to the PCI SSC Cloud Computing Guidelines, PCI DSS requirements for cloud hosting depend on the following factors:
- Business use of cloud services you have deployed
- Which requirements under PCI DSS are taken care of by the cloud provider
- Scope of cloud provider systems that are PCI DSS compliant
- Specific systems or services used by the organization, including services specifically used for compliance, such as security services
How to comply with PCI DSS
The guidelines detail the following measures to ensure cloud services are PCI compliant:
- Perform a risk assessment
- Conduct due diligence of cloud services you are using
- Check Service Level Agreements (SLAs) to ensure they are appropriate for PCI DSS requirements
- Perform a review of all cloud and managed services selected and ensure they meet PCI DSS standards for your level of PCI DSS requirements
- Ensure you have an appropriate business continuity/disaster recovery (BC/DR) plan for cloud-deployed services
Read the full guidelines for more information—take special note of the different requirements for cloud providers and customers.
HIPAA Compliant Cloud Hosting
What are HIPAA requirements for cloud hosting?
Cloud computing is not explicitly covered by the HIPAA Act, but it appears in its Privacy and Security Rules. HIPAA allows healthcare organizations to move PHI to public or private cloud platforms, provided that:
- The cloud provider signs a business associate agreement (BAA)
- They ensure the provider’s cloud environment is HIPAA compliant
- They put the relevant safeguards in place for their data and applications to comply with HIPAA Rules
How to comply with HIPAA
- Firewall and intrusion prevention system (IPS)
- Ability to securely connect to the cloud using encrypted VPN
- Data at rest must be encrypted, and stored in a HIPAA-compliant data center
- Multi-factor authentication
- Full audit trail with detailed event logs
- High resilience with SLA of 100% server uptime
- Backups with off-site storage and automated/assisted data recovery
Cloud Hosting Security Risks
Many organizations face significant risks when storing data in the cloud. Cloud storage services can easily be exposed to public networks, and if they are not securely configured, this can result in data loss. Multiple users and organizations can receive access to cloud systems, and improper management of credentials and privileges can result in data breaches.
In addition, social engineering attacks, accidental file deletion, errors in cloud automation, and the use of personal devices to access cloud services can result in data loss.
Cloud service providers offer powerful application programming interfaces (APIs) to manage and automate cloud services. These interfaces are well documented and readily available to cloud users, but also to potential attackers.
If customers do not properly secure cloud APIs, attackers can exploit weak authentication or other security flaws, to access and steal sensitive data. In some cases, attackers can leverage API weaknesses to compromise cloud infrastructure, abuse cloud resources, and disrupt operations.
Distributed denial of service (DDoS) attacks are designed to flood servers with fake traffic, overwhelming the server and ensuring it cannot respond to legitimate requests.
Cloud computing is based on shared distributed computing resources, which makes it much easier for attackers to carry out DDoS. A particular danger of cloud deployments is that attackers will leverage an organization’s own cloud resources to wage DDoS attacks against others, creating legal exposure and other risks for the organization.
Cloud Hosting Security Best Practices
Cloud environments have a large number of dynamic components, including data volumes, compute instances, and containers.
When using cloud hosting, it is important to establish an inventory of all current and historical cloud assets to prevent unchecked growth and eliminate the unnecessary spread of assets, each of which can represent a threat surface. Cloud monitoring strategies that allow you to quickly and reliably see deployed assets are the first steps to protecting your assets.
User Identity and Access Management (IAM)
Cloud computing extends network security beyond the traditional corporate network. Users can access cloud resources from many devices and locations, requiring strong access control.
Two-factor authentication (2FA) and single sign-on (SSO), provided by all major cloud providers, enable granular management of roles and privileges, which can help create consistent, storing access controls between on-premises and cloud environments.
Implement Endpoint Security
Cloud systems are, by definition, accessed remotely. Even if a cloud system is highly secured, the ability to access it from endpoints like laptops and mobile devices can compromise security. Endpoints can easily be compromised by attackers and may be used as entry points to sensitive cloud systems.
To ensure that endpoints do not represent a security threat, organizations should:
- Deploy endpoint security tools on corporate-owned devices
- Control allowed applications on user devices using whitelists and blacklists
- Monitor endpoints to enable detection and response to threats
- Achieve central control and visibility of endpoints across multiple clouds, and the on-premise environment
- Set policies in one place for endpoints across the organization
- Carefully review bring-your-own-device (BYOD) policies, and if it is not possible to deploy endpoint security solutions on BYOD devices, control or limit the way in which these devices can connect to cloud services
Use Backup and Recovery Solutions
In the cloud, because systems are heavily integrated and automated, and operate at a large scale, one accidental or malicious command can result in catastrophic data loss. Ransomware is also a major threat in the cloud—for the same reasons, it can spread faster and do more damage than it would on-premises.
To protect data in the cloud, set up continuous, automated backups using snapshots or similar mechanisms, and store backups as far away as possible from your production deployment. Backups should be in a separate cloud account, or even on a different cloud provider, to prevent them from being accessed by compromised accounts.
Ensure you have automated and tested recovery procedures, letting you recover business data quickly in case of an attack or data loss event.
In addition, use automated workflows to archive data that is not frequently accessed—archives can be protected with stringent security measures without disrupting productivity.
In this article, I briefly discussed how to use cloud hosting while remaining compliant with GDPR, PCI DSS, and HIPAA. In addition, I covered several security best practices that can help larger organizations make use of the benefits of cloud hosting:
- Ensure visibility of assets and storage services running in your cloud environment
- Leverage cloud-based MFA for user controls to minimize the risk of stolen credentials
- Use endpoint security for devices accessing your cloud services
- Prevent data loss by leveraging cloud-based backup and recovery
We hope this helps you stay secure and compliant as you transition your hosting services to the cloud.
Get Help with HIPAA Compliance
Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.