7 Regulatory and Compliance Frameworks with Broad Cloud Security Implications

Security teams responsible for enforcing regulatory and compliance mandates in a scalable and consistent way are often challenged to translate general legislative guidelines and controls into specific policies, tools and processes.

Cyberattacks not only pose financial or brand risk to an organization. They’re also a matter of national security that can disrupt critical supply chains and — in the case of critical infrastructure — even result in loss of life.

Geopolitical factors, such as the war in Ukraine, have emboldened state-sponsored attacks in the past year. According to the Threat Landscape 2022 report from the European Union Agency for Cybersecurity (ENISA), state-sponsored threat actors have targeted 128 governmental organizations in 42 countries that support Ukraine. Targets include the U.S., Poland, Denmark, Norway, Finland, Sweden, Turkey and other NATO countries.

Governments and industry groups around the world have long been working on ramping up the legislative and regulatory environments with an eye toward curbing attacks. Recent events, such as the 2020 SolarWinds software supply chain attack that impacted over 18,000 public- and private-sector organizations as well as those targeting critical infrastructure operators like Colonial Pipeline have spurred a rash of new regulations.

While all aspects of the attack surface are at risk, cloud infrastructure and applications have emerged as a particular target area. In a LinkedIn blog post, Thierry Breton, European Union Commissioner for Internal Market, said “attacks on cloud infrastructure have increased fivefold in one year.”

“Attacks on cloud infrastructure have increased fivefold in one year.”

—Thierry Breton, European Union Commissioner for Internal Market

In this blog, we explore:

• Mediating risk through increased legislation
• Regulations and penalties with cloud security implications
• How risk frameworks, controls and benchmarks support compliance
• Automating cloud security controls and compliance: Tenable이 도움이 되는 방법

Mediating risk through increased legislation

In response to increased cyberthreats, governments are enacting mandates and legislation. For example, in the U.S., Executive Order 14028 focuses on improving the security of the software supply chain. In the European Union, the Cyber Resilience Act — published by the European Commission in September 2022 — looks to ensure hardware and software products are placed on the market with fewer vulnerabilities. Such measures not only place new requirements on government agencies, they extend broadly to the organizations these agencies do business with, including cloud service providers, software development organizations, software as a service (SaaS) providers, hardware manufacturers and virtually any organization creating digital products and services.

The legislative and regulatory changes in the U.S. are not limited to the federal government — they’re also cascading down to state and local governments. Likewise, in addition to the E.U. regulations, nations within the union may also have their own requirements. In the United States, for example, 36 states have enacted new cybersecurity laws in the past two years, with many more in the works as the public sector looks to mitigate risk of cyberthreats.

Adding to government regulations, industries have also begun to define their own mandates in an effort to improve security posture and minimize risk to consumers and investors. One example of this is PCI DSS in the payment card industry.

For the security teams that must implement these mandates, the challenge is in translating what are often general legislative guidelines and controls into specific policies, tools and processes. Further, security teams are responsible for enforcing those policies in a scalable and consistent way across the enterprise. For security teams working in multinational enterprises, these challenges are compounded exponentially.

The regulatory environment impacts all aspects of cybersecurity, including traditional IT infrastructure and operational technology. In order to understand how the regulatory environment affects cloud security, you first need an understanding of which regulations apply to your particular business. The table below highlights several regulations with broad sweeping cloud security implications — and the risks that come with non-compliance. Regulations and penalties with with cloud security implications

출처: Tenable, April 2023

How risk frameworks, controls and benchmarks can help

Fortunately, a number of federal and industry sponsored organizations have been established to help enterprise and government organizations improve their cybersecurity posture. These organizations collect best practices and define risk frameworks, as well as supporting cybersecurity controls and benchmarks.

Frameworks provide a set of processes, best practices and specifications to help organizations assess and manage risk. They lay the foundation for effective cybersecurity programs.

Controls identify ‘what should happen’ in order to mitigate a specific category of risk. Inventory of software assets, data protection, and secure configuration are examples of control categories. Each control category has a set of safeguards outlining what steps should be taken.

Benchmarks take the concept of controls to the next level, providing prescriptive guidance on how to implement and configure specific technology, such as cloud instances, applications and identities, in a secure way.

While some standards may be developed by specific government agencies, most have broad applicability regardless of country or body of origin, and many have direct alignment or overlap of controls. Below we highlight five worth noting.

National Institute of Standards and Technology Cybersecurity Framework

Part of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) has developed numerous cybersecurity standards and best practices, including the NIST Cybersecurity Framework, a 40-page document providing high level guidance on how to prioritize, manage and reduce cybersecurity risk. The framework references a number of detailed documents for prescriptive controls. One of the most comprehensive of these is NIST Special Publication 800-53 Revision 5. The 460-page publication provides deep controls for cloud-based systems as well as other computing platforms, including general purpose computing systems, cyber-physical systems, mobile devices, internet of things (IoT) devices and others. NIST also publishes cybersecurity resource guides, such as Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, to help organizations comply with specific regulations.

CIS Benchmarks

The Center for Internet Security (CIS) is a nonprofit organization that develops crowdsourced, globally recognized best practices for securing IT systems and data. Similar to the NIST Cybersecurity Framework, CIS Critical Security Controls (CIS Controls) are a prioritized set of safeguards designed to mitigate cyberattacks. The Controls have been mapped to different regulatory and industry mandates, such as NYDFS 500. Additionally, CIS Benchmarks offer specific configuration guidelines for over 25 different vendor product families, such as Amazon Web Services (AWS), Microsoft Azure Cloud and Google Cloud Platform (GCP). Benchmarks are highly valuable because they provide prescriptive steps that must be taken in order to achieve the recommended configuration for a given vendor offering.

International Organization of Standards 27001 (IS027001)

Similar to CIS, the International Organization for Standards (ISO) is an independent, international organization that develops consensus based best practices and standards. One of the most well recognized is ISO 27001, a broadly recognized standard for information security management systems (ISMS). While not directly provided by ISO, organizations can obtain third-party certification of compliance with ISO 27001. While there is much overlap between standards like ISO 27001 and NIST Control Frameworks, there are differences. Generally speaking, NIST offers more granular controls, but on its own does not address the full spectrum of requirements needed for ISO 27001 certification. In that respect, these two frameworks are complimentary.

Automating cloud security controls and compliance: Tenable이 도움이 되는 방법

The regulations, controls and benchmarks covered here are just a fraction of the many that enterprise and government organizations must contend with. This makes scaling expertise challenging.

For over two decades, Tenable Research has brought to bear its expertise in regulations and standards to help organizations meet their unique security requirements. This same expertise is embedded in many Tenable solutions, in the form of pre-defined audits, policies and compliance reporting. For example, Tenable One for cloud security helps organizations harden their cloud security posture across multicloud environments by providing out-of-the-box policies which map directly to popular controls, benchmarks and regulations, such as NIST 800-53, CIS Benchmark for AWS, and GDPR, respectively.

This greatly reduces the need for specialized knowledge for every variety of standard or regulation. Security staff can apply policies for a given standard or regulation by selecting from a drop down menu and scanning for non-compliant configurations. They can also establish proactive guardrails to prevent deployment of non-compliant configurations. Below are some examples of the types of compliance reporting capabilities available in Tenable One for cloud security.

Compliance report: CIS 1.2 for AWS

출처: Tenable, April 2023

Using a menu-based approach, organizations can select and run compliance reports for a given standard or regulation and share those reports with asset owners for remediation, as well as governance risk and compliance (GRC) teams and external auditors to meet ongoing compliance requirements.

Compliance report: GDPR

출처: Tenable, April 2023

Because Tenable One for cloud security supports hybrid environments in addition to multicloud, organizations can run policy audits and report compliance for on-premises environments — including IT and private clouds — providing an end-to-end view of compliance.

To learn more about how Tenable can help, check out episode three of the Tenable Cloud Security Coffee Break Series, The Challenges of Multicloud Compliance, where you’ll hear from Phillip Hayes, Tenable’s Director of Information Security, on how we address multicloud compliance for our own SaaS-based solutions and see a live demonstration of policies and compliance reporting in action.

자세히 알아보기

• Visit the Tenable Solution Page on Cloud Security Posture Management: tenable.com/cspm
• View the Solution Infographic: Unlock scalable cloud security for today's hybrid, multicloud world