I was doing some compliance research recently and came across the following statistic from the Veritas Truth in Cloud Study:
"76% of organizations believe that their cloud service providers take care of all data privacy and compliance regulations.”
Once I had a chance to collect my jaw from the floor, I began to write this blog post.
According to the Shared Responsibility Model, the customer (you) are responsible for ensuring the security, privacy and compliance of your workloads and data in the cloud.
For this post, let’s zero in on compliance.
There are more compliance frameworks than I can count on two hands, and depending on your industry, it’s mandatory to comply with one or more of them. Here’s a small handful for example:
- ISO 27001: International standard
- SOC 2: Popular in the U.S., particularly with financial services and SaaS providers
- FedRAMP: Government clients, NIST 800-53
- PCI: Credit card payment processing
- HIPAA: Healthcare patient data
- GDPR: Personal data
Become intimately familiar with the frameworks that apply to your business as a prerequisite. From there, you can start tackling roles and responsibilities within your organization.
Cloud Security and Compliance Is a Team Sport
We hosted a webinar on this very topic back in October, but I think it’s important to reiterate some of the key players and their responsibilities around ensuring compliance.
EVERYONE plays a role.
I like to categorize in three different buckets:
- Management (e.g., C-levels): These are the people who are legally responsible if your organization is out of compliance. Not only from the brand standpoint – these folks are literally on the line to shield the repercussions – including jail time.
- Compliance (e.g., internal auditor and governance teams): These people are the interface between the business and the governance powers that be. They must make sure compliance programs are up to date and being tested consistently.
- InfoSec and Developers (e.g., SecOps and DevOps): These people are tagged to do the work the audit team needs to showcase proof of compliance.
And we can drill down even further. Let’s look at the roles and priorities of three key players and the variance based on your organization’s level of cloud maturity.
|Adopt Phase||Expand Phase||Scale Phase|
|Automating security monitoring & assessment for full visibility||Automating enforcement of policy|
|DevOps||Adopting a security-first approach
Learning what is available from CSPs
|Developing processes to ensure best practices are followed||Automating workflows to validate configuration BEFORE deployment|
|Compliance||Learning plans and impact of deployments Understanding what is inherited from CSPs
|Performing periodic measurement to identify gaps in compliance||Compliance scorecard by month, week or day|
Figure 1: Cloud maturity levels
The Underlying Contention Between Teams
It’s arrived: the dreaded compliance audit. As if SecOps and DevOps aren’t busy enough with IR, now they must shift focus and pile on a ton of work to help the compliance team ensure a passing score for a security audit – a typically manual process that requires significant time and resources and causes hefty delays for their priority initiatives, apart from compliance. Herein lies the problem.
The good news is that automation can help reduce this contention and unite these teams for the greater good: continuous compliance.
Security by Design - Automating Policy Enforcement
According to the RightScale 2018 Cloud Security Report, 42% of organizations are focused on automating policies for governance. This is good news. Even better, compliance requirements can be fulfilled in the cloud with the right strategy, tools and governance – rooted in automation.
Automating policy enforcement is hugely beneficial. It helps ensure visibility of policies across clouds and the larger organization, and propels innovation through confidence that critical policies and standards are always being upheld. Here are some points to keep in mind as you build your strategy and execution:
- Take a “Shift Left” Approach. Be sure to involve policymakers at each step, and as each project is deployed. Also, don’t forget that incidents will happen. Account for these as part of your project delivery timelines upfront.
- Take a Cloud-Centric Approach. Remember that the cloud is not your data center. You must approach security and compliance, including automated policy enforcement, differently.
- Prototypes Become Permanent. In the cloud, it’s never just an experiment. As quickly as you can say “cloud workload,” your “experiment” can be exposed on a massive scale.
Maintaining compliance as requirements increase and expand in scope can be challenging. Palo Alto Networks RedLock security and compliance service continuously monitors all cloud resources for potential compliance violations and provides customizable one-click compliance reports. Click-through controls resolve issues quickly in the face of ever-changing configurations and development requirements.
Want to learn more? Check out our on-demand webinar: 12 AWS Best Practices to Get You #CloudFit