Previously we published an article discussing some of the best practices surrounding cloud security, in this article, we will discuss cloud a little more specifically by focusing on one in particular provider Google. Google offers several different solutions for customers known as GCP or the Google Cloud Platform. GCP is set infrastructure tools and services which customers can utilize to build environments they need in order to facilitate a solution for their business.
Number of Services and Types
GCP offers 115 different types of services as of October 2019, which fall under the GCP terms of service. They provide many more and are constantly adding new ones, but those do not necessarily fall under the same agreement. The services are separated into various types and run on the same infrastructure that Google uses internally for its end-user products. Below are some key types of services, and the coordinating service offered:
AI & Machine Learning
GCP Security Services
Google recognises the need for greater security in the realm of cyberspace today, taking great steps to not mitigate known bugs, but also find potentially devastating new ones. They also offer several additional security services and products inside GCP which integrate with the Ignyte Assurance Platform. These include:
User Protection Services
Identity & access management
Governance, risk, and compliance
Managing Risk & Compliance of GCP with Ignyte
GCP meets several compliance and regulatory standards, however, it is important to keep in mind that this only means Google’s product meets those standards, it does not mean that by using the products you do not have to put in place compliant practices. Being compliant regardless of the standard is behavioural and requires administrative checks. Action has taken place which is deemed compliant, and repeated actions are necessary in order to maintain compliance across the business.
A great example of this from Google specific to the Health Insurance Portability and Accountability Act or HIPPA states “It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and Google. Specifically, HIPAA demands compliance with the Security Rule, the Privacy Rule, and the Breach Notification Rule. Google Cloud Platform supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance.” Google maintains several different compliance standards as well as adheres to different laws and regulations across multiple countries. Currently, they meet regulatory requirements to provide HIPAA compliant systems, as well as NIST 800-171. These will complement the NIST Cyber Security Framework as it’s designed to be used alongside other standards which greatly enhances your approach to securing your environment.
Today there are over 30 GCP IT risk and compliance frameworks in the industry frameworks in the industry that you may need to comply with. Compliance today requires both automated and manual controls. Because manual controls are required, there are absolutely no way technologies like GCP can solve all of your compliance needs, regardless of standard.
Ignyte helps extend internal on-premise security and compliance policies & procedures into the cloud while keeping your enterprise on track to ensure compliance and regulatory standards are met. As stated earlier manual checks are required in order to meet compliance needs. Some examples of this for HIPAA specifically would be assigning a HIPAA security officer. This officer’s duty is to enforce compliance throughout the entire company, not just IT. HIPAA requires background checks for individuals who will be accessing sensitive information and systems too which reduces the likelihood of criminals accessing and selling internal information. One more example of control which HIPAA puts in place to enhance security is a separation of duties, making sure no one person has too much access to information based on their role, through policies, and procedures.
Managing 3rd Party Risk in GCP
Many organizations use GCP for developing critical applications. These applications work with sensitive information which poses a risk to the business because of the sensitive nature of the information. Also, mission-critical applications require around the clock uptime in order to fulfil the needs of the organization. While GCP can help with technical protection measures and back up strategies, only the organization themselves can protect from a 3rd party contractor. These contractors are sometimes needed due to the tight labor market, and skills gap today. How do you manage 3rd party risk within your cloud operations? Ignyte helps facilitate this process through the Ignyte’s Vendor RIsk module which helps you onboard vendors that are safe and secure. Vendor management for cloud is critical and often overlooked component. Many data breaches occur due to poor access permissions and controls over the cloud environment In general, all vendors should have their own security program to manage client data but often this is simply not the case. The liability should flow down to the vendor through a contractual agreement given proper procedures are followed.
How Ignyte Can Help
What the Ignyte Assurance Platform allows for is greater understanding regarding policy, compliance, governance, and risk mitigation through a visual representation of the steps taken to comply with the policy. With each piece of technology used we have constructed a demonstrable module which ingests the item, and maintains a record of each action taken to meet or exceed any policy which may be put in place. This allows your organization to show the steps taken, the current progress, and what needs to be done in order to meet your regulatory needs. This helps by providing you with the information you need to present to management at any given time. We are ready for whatever technology which you so choose to use, and ensure that technology is being used in a fashion which meets, or exceeds any security standard which can be put in place regardless to enterprise business strategy.
How can this be possible?
We have published datasheets, and whitepapers spanning healthcare, and financial industry outlining exactly this! Another example specific to FedRAMP showing how Ignyte simplifies the compliance process. The Ignyte Assurance Platform is truly technology agnostic, providing a method for solving any issue through proven practice in the compliance space. Ignyte aids organizations regardless of technologies, business objectives, or compliance needs. Remember technology does not satisfy compliance standards. It is up to your business to perform due diligence in order to meet compliance and regulatory standards. Ignyte can help manage this process allowing you to extend your policies into the cloud as well as manage physical controls on-premise.