3 critical steps toward cloud security compliance

red cubes pattern for mobile
red cubes pattern for desktop

Summary

  • Despite the myriad possibilities of cloud computing for business efficiency, innovation and growth, value is not being realized.
  • That’s partly because risk teams are not involved in the initial planning of cloud transformations and business leaders often don’t fully grasp the risks.
  • It’s never too late to focus on steps that can help with compliance and security — now and later.

Clearly, businesses are keen on the cloud. In fact, 56% of respondents to PwC’s Cloud Business Survey see cloud as a strategic platform for growth and innovation. But there’s a disconnect between enthusiasm and returns. More than half (53%) of companies have not yet realized substantial value from cloud investments. One explanation is that relying on third-party cloud providers can increase vulnerabilities that erode trust in the business.

Another reason: Companies don’t always see the full spectrum of cloud risks. Insufficient, often poor, planning can yield slow, over-budget implementations. In fact, a scant 17% of chief risk officers (CROs) and chief audit executives are brought in to cloud projects at the planning stage. Most come to the table much later, during requirements gathering. 

Early examination of risk can make cybersecurity a powerful enabler of growth, one that delivers broad business transformation and a fast lane to the future.

Risk specialists: Help your cloud transformation team address these three key areas

To help achieve a compliant, secure transformation, organizations should explore three key areas of cybersecurity, privacy and compliance: 

  • Guard the access points to — and within — the cloud and resident applications. Set security controls and define requirements for segregation of duties (SoD) and managing privileged access.

  • Design privacy into the cloud. Create privacy business requirements that are implemented early in the transformation initiative.

  • Build in leading cybersecurity. Introduce practices, policies and controls that adjust to changes to the technology landscape. For some this may be a case of evaluating existing programs and updating as needed.

Most organizations, especially public ones, allocate significant time and resources to address requirements for these areas. The potential trouble starts when companies don’t take into account how a cloud transformation can change the requirements and create long-term barriers to regulatory compliance. Integrating compliance and security requirements at the onset can help effectively manage requirements and avoid the costs of retrofitting security programs.

Guard the access points to — and within — the cloud and resident applications

In a perfectly secured business world, all job responsibilities would be segregated and privileged access would be strictly restricted to help reduce risks and protect data. But we don’t live in that world. 

Today, threat actors expertly exploit misconfigured cloud services to gain access to a company’s network, encrypt data and then demand exorbitant ransoms to restore the data. Given the speed and cunning efficiency of today’s threat actors, executives have cause for concern.

Not all cyberattacks carry the thumbprints of external actors, however. Intentional and unintentional actions by employees and trusted third parties can also expose data to compromise. Here’s how: Developers with access to production systems might unintentionally modify production data, believing that they were in the development environment. Similarly, developers with access to production might unwittingly promote unapproved changes into production. And users with elevated access might perform actions that violate security and privacy policies.

Segregation of duties, which separates access privileges needed to complete a process among multiple users, and stringent access controls can help companies shut down these insider threats. To secure accounts that have access to cloud services, businesses should:

  • Separate privileged administrative access from user accounts

  • Use strong passwords and multifactor authentication

  • Change default passwords

  • Limit administrative privileges 

  • Automate patch management of systems and applications

  • Use multifactor authentication to safeguard VPNs and remote desktop protocol (RDP) services 

  • Encrypt data at rest and in transit 

Configuring segregation of duties and privileged access is always a tradeoff between accepting more risk in return for lower costs and speedier deployments. Following are questions you should ask to strike the right balance:

  • What risks exist in your business processes?

  • Where do risks exist or are likely to emerge? 

  • Do you have buy-in from stakeholders?

  • Which employees should have access to which applications and data? 

  • How do you identify anomalous employee activities? 

  • What ongoing monitoring process should you use to review access for SoD and privileged access? 

Careful consideration of these questions can help you avoid compliance issues during the project and down the road.

Design privacy into the cloud

Privacy is a complex discipline that is becoming more byzantine as regulations proliferate and consumers protect personal information. Managing these shifts requires a skilled team of privacy practitioners who help maintain compliance and apply complex privacy requirements to business problems. These skills need to be complimented by a team of security specialists that know the application layer of security to translate privacy requirements into actual application security settings.

Not so long ago, a few people in the legal department could manage privacy needs. Today, that takes much larger teams. Yet the talent squeeze for skilled workers makes it doubly difficult for organizations to build an effective privacy team. Business leaders are beginning to voice concerns: In our Cloud Business Survey, 52% of executives said a lack of tech talent is a barrier to realizing cloud value.

Making matters worse is a general lack of proficiency in privacy. Consider, for instance, that almost 40% of organizations don’t understand privacy violations and cloud risks arising from third parties and suppliers. What’s more, data governance is the backbone of privacy, yet only one-third of survey respondents have a formal data governance program.

Following are questions that can help you understand why you need to incorporate privacy into your cloud journey:

  • How do you determine privacy requirements for new projects or applications? 

  • Are you expected to follow a “privacy by design” approach that embeds privacy controls into new systems and applications? 

  • How do you use your company’s privacy framework to identify applicable privacy requirements for the cloud transformation project?

  • Do you have the requisite application layer security knowledge and skills?

  • Do you have controls and processes for management of third parties? 

Now’s the time to connect with your company’s privacy team and map out answers to these questions — and a new privacy plan.

Build in leading cybersecurity for the cloud

Cloud transformations will almost certainly impact an organization’s cybersecurity program and posture. Depending on the nature of the cloud transformation, the impact could be consequential. 

Key questions to consider to gauge the impact of cybersecurity and privacy on cloud transformations include:

  • Is your cybersecurity solution integrated with your current identity and access management (IAM) solution(s)? 

  • Do you understand application development security practices? 

  • Can you assess threat models and security architectures? 

  • How do you monitor, manage and mitigate cybersecurity incidents and threats? 

  • Can you evaluate your current compliance posture through the lens of business context and standardized IT and security frameworks?

    PwC’s cloud security risk framework comprises 8 key enablers of cloud transformation

    PwC cloud security risk framework

8 secure cloud enablers

From risk to confidence to payoffs 

Despite the challenges, there’s cause for encouragement. C-suite executives understand the critical role of cloud in both defining and achieving their company’s growth and operational ambitions. It’s also promising that organizations are prioritizing investments in cloud security to unleash innovation, boost resiliency and reimagine the business. Doing so can help transform risk into confidence — and ultimately, tangible returns on cloud investments.

Woman in server room

How can we help you build trust in this era of disruption?

Cybersecurity and Privacy solutions

Learn more

Woman with a computer, outside on a bench

Fast forward your business with cloud. Ready to get started?

PwC’s Cloud Transformation solution

Learn more

Robert Clark

Principal, Cyber, Risk and Regulatory, PwC United States

Email

Next and previous component will go here

Follow us