Cloud Compliance in 2022

This is the second in our series of 2022 trends. Last week we covered employee information management trends for 2022. This week we look at the trends for cloud compliance in 2022. 

Compliance – which in our context is specifically cybersecurity compliance – continues to be the way in which cybersecurity is managed and measured in modern IT. This is especially true is cloud services, where compliance standards have been an enabler to cloud growth. Cyber compliance standards like HIPAA, PCI DSS, NIST, and ISO 27001, help set the standards that businesses can use when evaluating how secure the cloud services are that they are evaluating and purchasing. 

As the nature of cybersecurity attacks change, so too do the standards for cybersecurity compliance. This leads to our big trends in cloud compliance for 2022. 

1. Companies Will More Broadly Apply CMMC to Their Non-Federal Clouds 

We discussed Cybersecurity Maturity Model Certification (CMMC) in a post a couple of weeks ago. This measurement standard from the Federal government will continue to expand into and provide influence over cybersecurity in the private sector. 

CMMC incorporates NIST SP 800-171 standards and provides a convenient five-level maturity measure. This type of measure has been used in IT in the past with the Capability Maturity Model (CMM) which was used by many CIOs in the early 2000s to measure their path toward better IT process and service orientation. 

With the recent announcement of CMMC 2.0, and with the prevalent knowledge of consultants that can lead IT organizations down the path of better cybersecurity, 2022 looks to be the year that CMMC measurement and reporting of the cloud becomes commonplace. 

2. Private-Public Hybrid Cloud Models Will Add Compliance Nuance 

In 2022, more companies will generate more of their data in the public cloud. Many of those companies will have policies to move portions of that data to their private cloud within defined periods of time. Which data is moved and when and where will continue to be a compliance challenge both for security as well as privacy. As compliance rules shift – like frequency of vulnerability scanning – companies that maintain hybrid clouds will need to update their procedures in both private and public contexts as well as the reporting for audits. Enforcement of data-related policies such as right to erase personal data will increase  

 3. Multi-cloud Application Compliance Will Become More Complex to Track  

When companies implement applications in a cloud today, they mostly isolate each application in one cloud – typically called hybrid cloud. Multi-cloud applications span more than one cloud and are increasing in popularity as different cloud vendors develop specialized and unique services. In 2022, more companies than ever will be using multiple clouds for a single application. 

For instance, maybe you develop a customer relationship management application for your sales team. You might store customer phone numbers in one cloud because their database service has privacy protections built-in, but you use a slick emailing app from another cloud that is easy to implement and extend. When emails and first names are temporarily stored in the second cloud, there becomes a second location for personally identifiable information (PII) to reside. Privacy policy understanding and enforcement is needed in both clouds, but without a rather technical review of each component of the application, this can be missed. 

Compliance audits and policy enforcement will need to get increasingly into the “weeds” on each application to understand where the cyber-risks are and how cyber-compliance policies apply. 

4. Compliance Ownership When Using Cloud-native Services Will Shift 

All the major clouds – AWSAzureGCPIBM – have co-management models for cloud compliance, but the policies are mostly utilized for first-gen cloud technologies like virtual machines. The differences in co-management of cloud compliance with cloud-native services have been treated as a special case by cloud providers. In 2022, the prevalent usage of cloud-native services will make it necessary for cloud providers to address the ambiguities of cloud compliance responsibilities that these services create. 

For example, with virtual machine implementations, responsibility for user credentials is clearly on the side of the customer. With cloud-native services, though, user credentials are exposed as they are used to access various services and/or are passed between services. How the user credentials are being handled by the cloud provider becomes important for compliance and security purposes for the cloud customer. 

What do you think about cloud compliance in 2022? What are your big concerns for the upcoming year? Let us know what you think at

CMMC Compliance Infographic

CMMC & Cloud Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness.  CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher. Click to download our infographic to learn more.

CMMC and Cloud Compliance for Mid-Market Companies

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness. It has been developed by the Department of Defense to measure and rate the cybersecurity practices of the Defense Industrial Base (DIB) who are supplying services to the DoD. 

While the CMMC only applies to DoD contractors, it is based on NIST CSF and NIST SP 800-171. These NIST frameworks are used across all industries to help companies gauge their cybersecurity effectiveness. CMMC combines NIST and other standards into a unified standard for cybersecurity, which can be applied to any company that wants to method for achieving higher levels of cybersecurity over time. 

CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The addition of a third-party audit organization (3PAO) certification provides proof that any organization working to achieve a certain CMMC level has the proper security measures in place.  

The five maturity levels range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification level. 

Click To Download

Most mid-market and SMB companies will never need to go beyond Level 3 in the CMMC model unless they are doing work for the Federal government or another customer that maintains highly sensitive data and processes.  

In addition to the level, there are 171 practices and 5 processes across the five levels of CMMC maturity. These practices and processes are organized into 17 capability domains to make them more manageable. 

Looking at the number of practices and the capability domains can seem daunting. Since the CMMC and NIST are highly related, you can organize the CMMC Capability into the NIST Core Functions and then think about how you manage your cloud compliance to the CMMC levels by the functions. 

CMMC and the Cloud 

Since most mid-market companies are moving or have moved all their IT operations to the cloud, it is helpful to think of the CMMC in that context. If you move all your IT operations to the cloud, do you even need to worry about cybersecurity maturity? The answer is “yes”, but the good news is that the cloud and SaaS providers with whom you work will take on much of the cybersecurity burden and make achieving higher levels of CMMC easier. 

Looking at the following table, you can see that moving to the cloud allows a company to “outsource” much of its burden of CMMC requirements to the cloud provider. It is important as you look at a cloud or SaaS provider to know whether they are CMMC compliant themselves. You can use this as a framework to analyze whether they are following the necessary steps to be a partner in your CMMC success. 

CMMC compliance of cloud operations is very achievable for mid-market companies. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher. 

4 Tips for Ensuring Compliance in the Cloud in 2020

Cloud Computing is well understood as a great method for increasing the speed of deployment and agility of managing IT infrastructure. For these reasons, the migration to and utilization of Cloud Computing continues to grow in both large enterprises and small businesses. However, this move towards increased use of the cloud – especially public cloud services – has increased the pressure for greater data protection regulations across the globe.

Unless you work for a very large organization that can cost justify developing and maintaining a private cloud infrastructure, utilizing Cloud technologies will mean relying on one or more public Cloud Service Providers (CSPs).39percent-of-IT-Decision-Makers-Consider-Themselves-Responsible

Recent high-profile data breaches have brought the risks associated with storing personally identifiable information (PII) into the limelight (i.e., the 2017 Equifax breach, the 2019 CapitalOne breach). Yet, the question of who is ultimately responsible for regulatory compliance remains a significant area of confusion. According to a recent study, only 39 percent of IT decision-makers considered themselves responsible for the compliance of data stored on cloud services. This is an incredibly dangerous mindset to possess, as by law, the ultimate responsibility for regulatory compliance remains firmly in the hands of the data owner – not the CSP.

Which Compliance Regulations Matter in the Cloud

The cybersecurity and data privacy compliance regulations that affect your company are dependent upon the industries in which you operate. Examples include federal government (FedRAMP), manufacturing (GMP), healthcare (HIPAA), real estate (CFPB), and financial services (FINRA, NYDFS). So, which regulatory requirements do you have to worry about in the cloud? The simple answer is the same ones that apply to your business already. Depending on your company’s industry, geographic location, and business function, this could be a range of compliance regulations, including:

  • National Institute of Standards and Technology (NIST)
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Financial Industry Regulatory Authority (FINRA)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Federal Information Security Management Act (FISMA)
  • Sarbanes-Oxley Act of 2002 (SOX)

It is important to understand how your data and processes within your cloud service are affected by all of the applicable regulations, including data storage and retention policies, user access and password policies, and Most of these compliance frameworks require periodic testing of your IT operations, as well as ongoing monitoring to ensure constant It is important to understand the requirements While the responsibility for maintaining compliance lies solely within your organization, you don’t have to take on this burden completely alone. The good news here is that a consultant or managed IT services provider can guide you through the compliance challenges to meet the necessary laws and regulations.

When it comes to ensuring that your cloud operations will be in compliance with the regulatory requirements of your business, here are a few key tips…’

4 Tips for Ensuring Compliance in the Cloud

1. Realize a Compliant Provider Will Not Make You Automatically Compliant

Depending on which regulation you are subject to, you may be required to use a cloud service provider that is certified with those regulations. But it is important to note that using a compliant provider does not in and of itself make your business compliant automatically. You still have to use the service in a compliant manner; it is your responsibility to ensure the provider maintains regulatory controls on an ongoing basis. And you still have to maintain compliance for your own IT operations which connect to the cloud service provider.

2. Know Where Your Data Will be Stored

Some compliance regulations have geographic restrictions on where certain types of data can be stored and processed. For example, the European Union Data Protection Directive requires personal data to remain within the borders of the EU or a third-party country that offers adequate protection based on their previously defined security standards. This can pose a very large challenge if your CSP operates data centers and stores your data around the world. There is good news here: being aware of this caveat is a large part of the battle. All reputable cloud service providers are aware of this issue and offer geographical nodes that customers can select for their data to reside in as a part of their service offering.

3. Understand Access Control

A large portion of regulatory IT compliance stems from ensuring proper controls are in place over who has access to what data in the system. During a compliance audit, you must be able to prove the level of access that each user has and how those various levels are maintained. Your CSP must be able to provide you with documentation outlining how the implement separation of duties for administrative functions. They must also be able to provide clear documentation showing which users had access to which systems when, and what data and systems were able to be accessed by each user.

4. Know Your Service Level Agreement (SLA)

Regardless of what compliance regulations you are subjected to, don’t assume your CSP’s terms and conditions will satisfy your requirements alone. You should know the details and fine print of your cloud services contract inside and out. Again – the sole responsibility of compliance in the cloud is ultimately up to you, not your provider. Your SLA should be very clear on roles and responsibilities, incidence response execution, and data breach remediation. Everything in the SLA must be in accordance with the regulations governing your business. The finer points of an SLA are able to be negotiated with the service provider before signing. Just don’t wait until you have signed to realize that all your bases are not covered.

The good news about ensuring compliance within your Cloud environment is that legitimate service providers will be able to provide the right service for you to meet your governing regulations. That said, you need to know how to apply the regulations properly to how you are using the cloud service. If you are concerned about your regulatory compliance in the cloud services you are using, we recommend bringing in a 3rd party IT service provider, such as Montra.

Montra’s cloud experts can examine your current cloud operations, navigate you through the best options for establishing full compliance, as well as monitoring your compliance over time.

For more information about how Montra can help with your cloud compliance, contact us today.