KEY POINTS

• “34% of organizations outsource some or all of their compliance functionality.” ~Thomson Reuter’s Cost of Compliance Report 2021
• “Risk and compliance programs are maturing. Navex Global found that the number of “mature and advanced” risk and compliance programs grew by 29%, while the number of “reactive and basic” ones declined by 35%.” ~Navex Global’s 2021 Definitive Risk & Compliance Benchmark Report
• “27% of businesses had encountered a security breach in their public cloud infrastructure over the past year. Among these incidents, almost a quarter (23%) were due to cloud infrastructure’s security misconfigurations.” ~Check Point’s 2022 Cloud Security Report

This Ask the Experts session stems from a question originally posted on Quora titled “Why Is Compliance Not Enough for Protecting Cloud Deployments?“

For an organization to be “compliant”, they must adhere to specific standards, regulations, and guidelines set by a governing body, industry, or organization. While compliance is an essential aspect of protecting cloud deployments, especially from a financial standpoint given that there are fines typically associated with organizations failing to be compliant, compliance by itself is not sufficient in protecting cloud deployments from compromise.

This is because compliance frameworks:

1. Focus on a limited scope – Compliance activities mainly focus on safeguarding sensitive data and maintaining privacy. Cloud deployments however involve various components, such as infrastructure, applications, access controls, network security, and data management to name a few. The number of components can increase dramatically as the complexity of the deployment increases. Compliance alone may not comprehensively address all aspects of cloud security, leaving potential gaps that can be exploited by attackers.
2. Lack customization – Compliance frameworks are designed to accommodate a variety of organizations and industries. Subsequently, these frameworks may not align perfectly with the unique security requirements of individual cloud deployments. Organizations often require additional security measures tailored to their specific infrastructure, applications, and data, which compliance frameworks may not address adequately.
3. Fail to address human error and insider threats – Compliance often focuses on implementing technical controls and safeguards (i.e., Encryption of data in transit and or at rest) but may fail to adequately address human error or insider threats. There have been many occasions where security breaches occur due to unintentional mistakes made by employees or malicious actions from insiders. Protecting against these risks requires additional measures, such as employee training, access controls, and monitoring mechanisms.

Compliance frameworks will often provide organizations with a baseline level of security; however, compliance activities typically only address a subset of the potential vulnerabilities or emerging threats an organization may face. To ensure strong cloud security, organizations should consider adopting a comprehensive approach that combines compliance with industry best practices, risk assessments, regular security audits, continuous monitoring, threat intelligence, incident response planning, and ongoing security awareness training for employees. By implementing a defense in depth strategy, organizations can enhance their overall security posture and mitigate a broader range of risks beyond mere compliance requirements.

Have any questions regarding compliance, cloud computing, or application security? Contact us and we will be glad continue the dialog! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.

Additional Resources

• CSA Security Guidance for Critical Areas of Focus in Cloud Computing
• IT Security vs IT Compliance: What’s The Difference?
• Security Vs. Compliance: Understanding the Difference