This is the first in a series of posts about how different compliance and regulatory frameworks work and how YugabyteDB can be an essential part of a company’s compliance efforts. This installment is an overview of the different international compliance frameworks companies encounter on their journeys with customers.
What’s the Purpose of a Compliance Framework?
A compliance framework is a set of guidelines, baselines and best practices used by companies to establish internal controls to meet regulatory requirements, business objectives, privacy and security standards. They are a common language used by auditors, potential customers, investors and companies themselves to measure where a company stands in its compliance journey. Compliance is always a moving target because of the complexity of the relevant standards and frequent developments, so the journey is rarely ever complete.
Compliance frameworks come in all shapes and sizes, but for purposes of this series, we’re focusing on the most common frameworks looked at by consumers of database services.
Overview of Compliance Frameworks
Cloud Security Alliance Controls Matrix (CCM)
The Cloud Security Alliance is a worldwide organization that defines best practices to help ensure secure cloud computing environments. The Cloud Control Matrix (CCM) – now on version 4 – is designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It takes into account other security standards, regulations, and control frameworks like ISO, PCI, NIST, etc., discussed below.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is the U.S. government’s approach to security assessment, authorization, and continuous monitoring for cloud products and services. The goals are to:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Improve confidence in the security of cloud solutions and security assessments
- Achieve consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase automation and near real-time data for continuous monitoring
Cloud Infrastructure Provider Architecture Frameworks
AWS, Google Cloud and Azure provide cloud architects with architecture frameworks to help build secure infrastructures for cloud applications and workloads. The principles behind the frameworks overlap:
- Operational excellence
- Security, privacy, and compliance
- Performance & cost optimization
It’s hard to start any discussion of security compliance without addressing the mother of all modern compliance frameworks, the Sarbanes-Oxley Act of 2002. Enacted in the wake of a series of corporate and accounting scandals in the early 2000s, SOX is a U.S. federal law that’s designed to protect public company investors by ensuring consistency in financial practices and corporate governance. The internal control framework delves into several internal control items to ensure the integrity of financial data, including:
- Access controls: controls to prevent unauthorized users from accessing financial information, e.g., location of servers and data centers, password controls
- IT security: controls to prevent data breaches and tools to remediate security incidents
- Data Backup: controls ensuring backups of sensitive financial data
- Change management: controls around securely making changes to databases and data infrastructure, and ensuring data integrity with processes around adding and maintaining users, and installing new software
Payment Card Industry Data Security Standard (PCI-DSS)
The PCI Security Standards Council is a global industry organization that develops and drives adoption of data security standards and resources to enable safe financial payments. The PCI-DSS is an information security standard for entities (including service providers) involved in payment card processing, and is designed to protect cardholder data security. It has 6 control objectives, with several sub-requirements for building and maintaining a secure network and systems:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Information Security & Data Protection
The International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC)’s ISO/IEC 27001 standard for information security management is the leading worldwide framework for management of digital information. While not obligatory, it is widely recognized to cover a broad range of assets including financial information, IP, employee details, or third party information, and certification is easily recognized all around the world.
ISO protects three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a voluntary framework that contains standards, guidelines, and best practices to manage cybersecurity risk. Certain government agencies and companies require NIST compliance as part of contracts, but it’s not a requirement. It is, however, a good shorthand to use with customers regarding practices around keeping data and systems secure.
Center for Internet Security (CIS) Controls
CIS Controls are a prioritized set of 20 security controls to protect organizations and data from known cyber attack vectors.
Control Objectives for Information and Related Technology (COBIT)
Created by the Information Systems Audit and Control Association (ISACA), COBIT is a framework for enterprise IT governance and management that defines components to build and sustain a data governance system, and the design factors that should be considered by enterprises to build a best fit data governance system.
SOC 2: Type II
The American Institute of CPAs (AICPA)’s Service Organization Control (SOC 2) is an auditing procedure that defines criteria for managing customer data in the cloud based on five principles–security, availability, processing integrity, confidentiality, and privacy. It requires a series of security policies and procedures that encompass best practices based on those principles.
GAIA-X is a project for the development of an efficient and competitive, secure and trustworthy data infrastructure for Europe, which is supported by representatives of business, science, and administration from Germany and France, together with other European partners. Its goal is to create a proposal for the next generation of a data infrastructure for Europe, and foster digital sovereignty of European users of cloud services. It is based on European values of transparency, openness, data protection and security.
Health Information Privacy/Security
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA established U.S-based standards for protecting healthcare data both from a security and privacy perspective. The HIPAA Privacy Rule was the first national standard to protect patients’ personal or protected health information, and the Security Rule established national standards for securing patient data that is stored or transferred electronically.
Health Information Trust Alliance (HITRUST)
HITRUST enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. HITRUST was organized with the intent to provide an option for the healthcare sector to address information risk management across a matrix of third-party assurance assessments, with the hope of consolidating, reducing, and in some cases, eliminating the need for multiple reports. HITRUST refers to this design element as “assess once, report many.”
General Data Protection Regulation (GDPR)
GDPR is an EU-based regulatory framework but applies to any organization that does business in the EU or interacts with EU citizens. It is the most privacy-forward legislation in the world right now, treating privacy as a fundamental human right and adding a lot of detailed requirements. Fines and penalties for non-compliance are significant (€20 million or 4 percent of annual revenue).
California Consumer Privacy Act (CCPA)
The CCPA is America’s most privacy/security-forward legislation, and in some ways parallels GDPR. It affords California citizens robust data privacy rights and control over their personal information, like:
- Right to know
- Right to delete
- Right to opt out of the sale of PII
- Right to access
- Non-discrimination based on exercising privacy rights
National Institute of Standards and Technology (NIST) Privacy Framework
The NIST Privacy Framework is a voluntary tool meant to cover the intersection between cybersecurity risks and privacy risks. It’s pretty high-level, with the goal of enabling companies to communicate and prioritize privacy protection activities and outcomes. It contains privacy protection activities and outcomes, and some benchmarks to judge whether a company’s privacy processes and resources are sufficient.
This is a privacy extension to the cybersecurity standard of ISO/IEC 27001 and 27002. It specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system.
In future installments, we’ll cover how YugabyteDB can be used to help organizations meet some of these fundamental framework requirements.