Multicloud compliance in a multi-jurisdictional world

The foggy cloud: Uncertain risks with heightened consequences

The opportunities offered by the cloud continue to vastly outweigh the risks. And much of the risk revolves around regulation, due to the possibility that data will be stored, accessed, altered, or leaked in a way that puts an organization out of compliance with the ever more complex cohort of data protection and privacy regulatory frameworks.

Worse, many IT and security professionals do not even have visibility into where the risk lies. Visibility grows more difficult with data and workloads spread across multicloud environments., The cloud has become a fog, obscuring lurking compliance risks. And meanwhile, the jurisdictional requirements with which international organizations have to comply continue to multiply.

As traditional security frameworks have proven inadequate for managing these compliance risks, IT teams and compliance officers need a new approach — one that will allow them to identify and mitigate violations in the cloud before they happen.

The challenge of cloud compliance

When cloud-hosted data is exposed, organizations lose customer trust, suffer reputational harm, and are subject to regulatory scrutiny. In worst-case scenarios, a data breach can lead to fines if regulators believe an organization didn’t take reasonable measures to protect the data.

Exposures occur in a number of ways, from social engineering to inadequate access control and outright data breaches. However, the cloud offers unique hurdles and challenges for avoiding data exposure. In particular, with responsibility for security shared between cloud provider and cloud customer, misconfigurations are a major risk.

Unintentional human errors — in particular, misconfigurations — are one of the top risks to data in the cloud. Public cloud deployments that are left accidentally exposed to the public Internet or otherwise misconfigured can lead to major breaches.

Cloud misconfigurations are increasing. As more businesses transition to cloud-based services, the attack surface expands, increasing the risk of exposure due to misconfigured resources.

Often, issues are detected only after misconfigurations have already had a negative impact. This is because many widely used types of cloud security solutions, such as cloud security posture management (CSPM) or cloud-native application protection platform (CNAPP) services, identify symptoms after the fact.

After-the-fact detection leads to alerts, which may take a while to be fixed, leaving cloud resources temporarily exposed. By the time an organization knows they are out of compliance or exposed to attacks due to misconfigurations, it may be too late.

There are also a multitude of other challenges to ensuring data security, integrity, and compliance in the cloud, including:

• Data exfiltration: Digital assets offer all manner of attack vectors to malicious parties, whether an asset is in the cloud or on premises. However, multicloud deployments pose additional threats since the physical infrastructure falls outside an organization's direct jurisdiction and responsibility. From simple social engineering attacks to highly tailored vulnerability exploits, attackers have a variety of methods for extracting data from the cloud.
• Shadow cloud infrastructure: Organizations often end up with abandoned or forgotten cloud instances. This happens naturally as organizations shift, change, and expand, and as roles and responsibilities adjust. It may also occur when wellmeaning employees take matters into their own hands to get their work done, but go outside of approved IT procedures. The result can be a shadow cloud infrastructure that is unaccounted for and not protected by security policies.
• Multi-tenancy: Public clouds are shared between many organizations, and responsibility for securing them falls between the cloud provider and those cloud customers. Cloud-hosted data can be accidentally shared with other cloud tenants if security perimeters are not enforced.

These cloud security issues can linger, leaving organizations exposed. In regard to regulatory compliance, financial health, and the overall safety of the organization, the stakes are high. Fines levied by the EU’s General Data Protection Regulation (GDPR) alone can range up to either €20 million or 4% of the business's worldwide annual revenue, whichever is higher.

The multi-jurisdictional world

To make security and compliance more complicated, each jurisdiction has its own regulations. Security and privacy measures vary around the globe. Some of the major regulations include:

• The GDPR and the NIS2 Directive have authority over EU resident data
• The Digital Personal Data Protection Act (DPDP) regulates personal data in India
• State-by-state, or industry-specific regulations in the United States (e.g. CCPA, HIPAA)
• Industry regulations like PCI DSS that controls how personal payment data is handled

Ensuring that all cloud instances conform to all relevant regulatory frameworks is nearly impossible by manual effort alone. It’s also difficult to demonstrate compliance without regular audits of all data and systems, a task even more difficult when organizations rely on multicloud deployments across multiple cloud providers. This time-consuming work can also hamper expansion and business development as organizations look to enter new markets.

The cloud security solution

To reduce the incidence of costly misconfigurations, organizations must take a preventative approach by securing the control point where nearly all cloud and SaaS activity occurs: API calls. Although preventing all configuration errors in advance would be impossible, organizations must be able to inspect every API call inline, as new cloud instances are deployed — not just after the damage is done. In addition, teams need ways to find and mitigate errors, and enforce compliance, automatically — so they are not adding manual steps.

A cloud-based security platform can help you implement that preventive approach — if it’s able to set rules and establish controls at the edge.

Cloudflare streamlines cloud security compliance for customers by automatically assessing and enforcing secure configurations, helping to ensure robust security and compliance with the most common regulatory frameworks. Cloudflare inspects cloud API traffic, giving organizations enhanced visibility and granular controls, and allowing for a proactive approach in mitigating risks and managing their cloud security posture.

By providing controls and guardrails in every regional location, Cloudflare helps you prevent many cloud misconfigurations that could leave you vulnerable and jeopardize compliance. And by placing those capabilities inline (between your organization and the clouds you are using) the Cloudflare platform centralizes management of security and performance controls. As a result, you can continue to make the most of multiple clouds — across multiple jurisdictions — while enhancing efficiency and mitigating risks.

Dive deeper into this topic.

Learn more about securing cloud-based application services in the 3 challenges of securing and connecting application services whitepaper.

Related resources

• Navigating data localization and compliance
• Cloud implications on business security

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.