Dec 27, 2021
As we look forward to 2022, at least two things are certain: cloud is here to stay – and so is regulatory compliance. Every business must deal with compliance mandates in some form or other. Since regulations not only vary by industry, but also by state and country, some organizations have to comply with multiple, and sometimes even conflicting, standards.
In order to help you manage the complexity of the compliance landscape in 2022, Orca Security asked CEOs, CISOs, analysts, and other cybersecurity leaders across a variety of industries for their advice on how organizations can best prepare themselves for the onslaught of data privacy and cybersecurity mandates on the horizon. More specifically, we asked, where should organizations focus their cloud compliance efforts in 2022?
Here’s what 14 cybersecurity leaders shared about how best to prepare for cloud compliance in 2022:
“Rather than adhering to all mandates individually, organizations can increase efficiency by adopting a ‘do once, report multiple’ approach, where they focus on complying with the strictest mandates, and in doing so meet all their regulatory requirements. A specific area for organizations to focus on in 2022 is ensuring that they have the capability to automatically assess and report on the compliance status of each mandate, as manual reporting will never be effective.”
“Organizations must be more proactive about how they maintain their data, as the responsibility for data and liability for mishandling data evolves. They need tools that can discover where PII is stored, how it is used, and how it flows within the organization. The best strategy for protecting this data is an ROI based-approach. Start with the easy items such as encrypting your data at rest and in transit, and then move to tighter control of data in logs, export of databases, and secrets. This approach will dramatically reduce the risk of security breaches as well as compliance violations, while keeping operational overhead and costs low.”
“I think the next two years will continue the trend of “every jurisdiction publishes their own mandate.” Some of those mandates will be mostly copies, but many of them will be, by design, just a little different. To prepare, companies should really understand their security practices, so they can communicate them in the language that each regime needs to hear. And “understanding” your security practices includes making the security controls be effective!”
“If your organization is multi state or multinational, always pick the strictest security controls for your cloud environments and data privacy. This will make it easier to monitor and prove compliance versus having multiple findings for the same controls. The best way to start on this journey is to build a compliance map that aligns all the controls for each regulation applicable to your organization, and pick the strictest control for your implementation. And note, there will always be some business exceptions for sales, marketing, support, etc. If those are well documented, then any mandates or data privacy issues can be addressed in findings, and additional mitigating controls can be enacted to ensure they are not considered a violation.”
In addition to advising security executives to “Buy a bottle of Tums”, Jonathan has this further advice:
“Compliance means nothing if you are breached. Focus your team on the compliance controls that fight against the real risks. Right now, extortion events are the most prevalent risk. Therefore, harden your cloud systems against extortion. Compliance will fall in line as you do this. You won’t meet all compliance requirements, of course, but compliance means nothing if you are breached.
Extortion is of two types: data destruction and data disclosure. Destruction seeks to separate you from your data, and disclosure seeks to introduce everyone else to it. Destruction is based on the fear of a loss of business. Extortion by disclosure is based on the fear of lawsuits and fines.
There are basic steps that fall in line with compliance regimes that also help prevent extortion, but they need to be augmented. Compliance regimes do not provide enough detail in how to prevent extortion events. Here are two examples:
All compliance regimes state you must encrypt data at rest and that you must have regular backups. Even if you meet these minimum requirements, you are heavily exposed to extortion events unless you also:
– Store backups securely, for example, in a separate cloud account
– Require MFA before deletion of source and of backup data
Attackers will make their own encrypted backups, destroy all of your copies, and then leave their Bitcoin addresses on a splash page where your company’s logo used to be.”
“Plato, cribbing from the Bible, wrote, “Good people do not need laws to tell them to act responsibly.” Based on recent decisions and behavior by organizations who should have known better; the rise of unyielding, one-size-fits-all security and privacy mandates is inevitable. Too many act as though they need laws to tell them how to act responsibly with other people’s data.
Rather than be surprised by sudden regulatory requirements with their jet-fuel deadlines, be well prepared by adopting ethical data handling practices now – and verifying them! Track the consumer data you collect and comprehensively remove it when asked. Control personally identifiable, customer, and partner information as if it were more important than your own. Shockingly few consequential breaches result from zero-day vulnerabilities. Nearly all come from shadow IT, rogue cloud, zombie user accounts, and poor patch management.
Focus on hygiene and good practice, make it your expertise, and reward your team for foundational excellence. You’ll never be caught flat-footed by a mandate – and you’ll avoid expensive, embarrassing breaches.”
“Empower your prospects and customers. With the continuous pace of change for country and state specific requirements, companies need to empower their customers with clear and transparent practices. Teams should look to be as open as they are allowed to be with sharing legal terms and conditions, data protection addendums, and security artifacts like evidence of compliance. I heavily recommend external facing trust centers or a security and privacy web page to explain a company’s security practices. This way it can reduce the overall burden for custom questionnaires, inquiries, and allow for prospects and customers to self-service information.”
“There are a number of key things organizations can do to prepare themselves in 2022. Compliance today could mean the difference between a sale and a pass. I’ve seen great companies get passed on because they couldn’t provide a SOC2 report.
The first thing is the mental focus as an organization. With the right focus, compliance could be your best friend. It can be the game changer that gives you that extra budget or head count if you’re the CISO, or the cherry on top that will show the potential customer that you’re a little better than the competitor if you’re in sales. View it as an opportunity to really improve, and not just as a box to check.
The second thing, now that you did the mental work and embraced compliance as an ally, is to work towards the goal of becoming compliant by design and broadly compliant at that. At Rapyd we call it “Compliance Ready” — we are ready for any mandate that may come.
We achieve this by focusing on getting the basics right, and automated, and building on that. For example: If your asset management is on point, you can cover the basic controls in 95% of the audits, just from that alone, and there are many more examples.”
“Compliance efforts in 2022 should be focussed on understanding the shared responsibility of data between SaaS, PaaS, IaaS, and the organization. Having a real time asset inventory of the type of data in your organization’s environment should be a priority. This will make uplifting to newer versions of compliance standards an easier transition.”
“I’d focus on modernizing the approach to compliance so that compliance (and security) can keep up with business and IT. We cannot survive on “daily code changes but quarterly audits.” Look at the ways to make compliance go faster at your organization.”
“A practical approach is to have your Chief Compliance Officer and their team draw up the common denominators across multiple compliance requirements from different jurisdictions (GDPR, CCPA, etc.) and work to meet those elements first. Seek to develop good working relationships with the respective regulators (i.e., get them on your side, and show them you’re working at it), then once you’ve met all the common components of the various regulations, choose a particularly stringent one (e.g., from Germany or Singapore) and work to comply fully with that one. That way you can tell regulators in other jurisdictions that, while you may take longer to achieve full compliance with their regulations, you’re actually busy working to meet an even more stringent requirement from elsewhere. I think most regulators want to see you’re making efforts and to be kept in the loop.”
“Focus on defining what data is actually required to fulfil intended functions and how long it’s necessary to retain it. Date of birth, for example, frequently appears in data breaches where it had no need to be there in the first place.”
“Organizations need to move towards a Zero Trust Data Protection approach. The recent EDPB recommendations following the Schrems II judgment highlight this need. This is more than just controlling network access and involves implementing much stronger controls on the data itself. Data is the most valuable and most regulated organizational asset, and the use of cloud services, as well as modern approaches to application development and data analysis, increase the risks. Using unprotected data for machine learning as well as development, QA, and test exposes data in transit, at rest and during processing. For these reasons it is important that organizations move beyond simple encryption to exploit the confidential computing technologies that are now available. The most practical of these include certain forms of pseudonymization, using trusted computing enclaves, as well as keeping control over encryption keys and other secrets used to protect data.”
“Focus on areas where you can be proactive and increase efficiency. For example, you can proactively implement safeguards or policy controls, continuously monitor environments for compliance, and be able to efficiently mitigate issues as they come up. This will save teams from scrambling and having to react to problems.”
Orca Security offers a radical new, agentless cloud-native application protection platform (CNAPP) that detects and prioritizes security risks at every layer of your AWS, Azure, and Google Cloud estates providing 100% visibility – in a fraction of the time and operational costs of other solutions. Find out more in our white paper Reinventing Security for the Cloud.