Compliance programs by nature are designed to address perceived threats or risks to an industry or community, but how can you ensure that they will evolve as your deployment infrastructure, environments, and applications change—especially in the cloud?
Cloud technology is a core part of today’s business across all industries, and with it comes potential risks. Simply think about applications running in the cloud, new codes are launched daily for those applications that, without proper monitoring, could negatively affect compliance posture. So how can compliance monitoring and auditing programs be set up to address these potential risks?
Compliance ≠ security
While compliance programs have the best intentions of creating secure environments, compliance does not equate to security. In fact, it can give a false sense of security when there is no guarantee especially with the rapid pace of cloud and development.
While compliance programs help set a baseline for controls, these are based on common threat vectors. For example, a compliance standard may call for strong passwords to protect system access, but this may not take into consideration attackers using complex phishing or injection attacks to extract credential information or bypass password controls altogether.
Cloud-based breaches and other major reported security events have helped shape better cloud security practices and the development of better controls, with automation that ties into compliance programs. However, this is a reactive approach and does not offer solutions to potential unknown (zeroday) or future threats. This is compounded further when considering cloud microservices that not only have to meet the same compliance standards, but also must be constantly monitored for security and compliance posture management.
How companies stay on top of compliance in the cloud?
The steps to maintain security and compliance in the cloud are continuous, and can feel overwhelming if not backed with the right team, technology, and process. Here are some critical steps leading organizations are taking to ensure compliance in the cloud.
Step 1: Visibility of cloud assets
You can only protect what you can see and know exists—which is especially challenging with microservices. With the cloud, virtualized resources are your assets. It is therefore imperative to have well defined systems in place designed to scale while also continuously monitoring your cloud deployment. For many organizations, asset monitoring and tracking is a way to be more cost-effective, since operations should be designed to be scaled up or down as needed. Automation of cloud operations enables inventory and configuration of assets, as well as visibility.
Step 2: Mapping the Compliance Framework
Chose the compliance program based on your industry or market need, and make sure the technology in place can map to the latest standards. For businesses that do not have regulation standards, the needs of the customer base can guide the decision, as the customer may seek out vendors that meet standards relevant to their industry. Another good starting point would be choosing common business standards like those established by the National Institute of Standards and Technology.
Step 3: Evaluation including exclusions and customization
With any compliance program, it is worth examining how others have built solutions to meet the compliance frameworks. For instance, PCI frameworks indicate the need for specific cardholder data system components (rather than the entire network or interconnected system) to receive the bulk of the protections. This results in segmenting and firewalling portions of the system to isolate compliance controls to only those systems and data in the given scope. Customization of a system to meet compliance requirements may result in cost savings and efficiencies.
Step 4: Monitoring, frequency of continuous assessment checks, integrating with workflow tools
Most compliance programs follow the model that controls should be operational at all times. This also means that they should be monitored at all times. To make this manageable for cloud security teams, leverage tools that will provide workflow automation, this includes continuous compliance and security scanning, notifications, and ticketing to ensure efficiency of their controls. These tools should also provide a streamlined view for organizations resulting in both heightened visibility and control.
Step 5: Automated remediation
Systems operating in the cloud are considered more complex than their traditional counterparts. There are many areas where organizations can automate remediation, including security tasks, such as adding or removing users of a system, or more complex workflows, such as combining order processing with multi-system confirmations to guarantee accuracy, privacy, and confidentiality. Complex controls, such as high-volume logs and threat scanning and analysis, are often done via automation rather than manually to boost value and efficiency. However, it is important to exercise caution with automation of monitoring actions, especially in cases where there is a high likelihood of false positives.
Step 6: Reporting and auditing
In cases where the cloud implementation supports a compliance framework, reporting is also required. In many cases, the cloud service provider (CSP), who maintains physical control of the cloud infrastructure, does this reporting. Here you will need to ensure your CSP provides regular, satisfactory reporting that these compliance controls are meeting your needs.
Customers may also require this information, or for your business to acknowledge use of a specific cloud provider in the contractual agreement and that it’s your responsibility to review and maintain the veracity of those third-party controls.
Many times, the CSP audit reports are the only means to verify a vendor’s security controls. This is because the vendors do not have the operational capacity to allow each of their customers to audit them. It’s important to consider this as you evaluate the risk of any cloud vendor and follow up on any concerns regarding their compliance reports.
A final note on using your cloud service provider’s audit reports is that these are often sensitive and restricted use reports, so the ability to share this information with your customers is sometimes limited. Check with your legal or compliance team to ensure that you do not claim your CSP vendor compliance certification information as your own unless the CSP vendor has allowed it.
In addition to CSP and auditor reports, organizations often rely on the reporting capabilities within their cloud security posture management tooling as it includes all the cloud assets in context to the compliance framework.
Compliance is not a cure-all
While compliance is no guarantee of security in the cloud, it can assist both the customer and the CSP in a common approach, with steps towards managing risk and applying relevant controls. The value of compliance programs is that they underscore the importance of data security to the cloud service provider and customer alike and typically enforce a minimum level of security controls.
However, it is important that complexities introduced by the cloud are appropriately managed. Security constructs, such as virtual networks, containerization, microservices, virtual firewalls and other cloud-based offerings, are not as easily managed as a traditional environment. And compliance requirements do not always reflect the complexities of new cloud systems or indicate where problems with traditional security approaches do not work as well in the cloud.