Best practices for ensuring compliance in the age of cloud computing
When was the last time you heard someone utter the sentence, “I’m looking forward to the audit next week.” Most likely, never. Since its invention, the word “audit” has struck … well, if not terror, then certainly groans in the individuals responsible for ensuring the resources being audited are compliant with appropriate regulations. The fact is that compliance is still largely a manual set of processes, even though the regulatory landscape is continually more complex. Finding and hiring enough qualified compliance people is difficult and, ultimately, doesn’t scale well.
Complicating things further is the move to elastic infrastructure like public and private clouds. Ensuring compliance with necessary regulations like PCI, HIPAA, SOC 2, SOX, etc. in the era of on-premise, captive data centers was challenging enough. But as organizations move to cloud-based and/or virtualized infrastructure, the job becomes nearly impossible. While the cost and agility benefits of cloud computing are simply too significant to ignore, for the compliance teams, this creates special challenges, many of which have yet to be considered by the majority of enterprises.
The good news is that help is on the way. Let’s outline the major considerations organizations should incorporate into their compliance programs, as well as some pitfalls that can be avoided to ensure businesses can realize the benefits of cloud computing and still maintain compliance with appropriate regulations.
Make security the first goal
Many companies faced with compliance issues fall into a very common trap, often referred to as the “compliance = security” mindset. This thinking concludes that if a company goes to the trouble to be compliant (this means compliant to any number of regulations – HIPAA, PCI, etc.), then it will be effectively “secure.” Unfortunately, nothing could be further from the truth. Witness some of the major retail security breaches of this year – most of those organizations were PCI compliant! As with many kinds of regulations, compliance really represents the absolute least amount of effort required.
That’s not to say that compliance isn’t important – it is. And even with the best of efforts, 100 percent security is never guaranteed. But if companies with cloud infrastructure want to give themselves the best chance to avoid the very severe consequences that come with a major breach, they need to focus on security first, then ensure compliance.
Maintaining visibility in a world of multiple cloud models
The first place to start with any security or compliance initiative is visibility. You can’t secure what you can’t see. This means having 100 percent visibility into all technology assets and services: where all of your digital assets are located, as well as their status. Know what you’ve got and what it’s doing at all times. This sounds incredibly basic, but given the automated, elastic, on-demand nature of modern virtual infrastructure, visibility can be a challenge. Compound that by firms using multiple public and hybrid cloud models, and you can begin to see the complexity involved in maintaining transparency and visibility for all of your organization’s digital assets.
Once you understand what’s going on with your infrastructure, applications, data and users, you can begin to understand how to limit your attack surface and better prevent and mitigate attacks. This often requires great relationships with your cloud service providers, which brings us to our next point.
In the cloud, compliance is a shared responsibility
If you’re going to be using cloud services of any kind, you will want to develop a great compliance and governance relationship with your service provider. Often times, organizations believe they are compliant if their service provider is compliant – that’s simply not the case. Nor is the reverse true.
Public cloud service providers have established a shared responsibility model for security and compliance. Typically, this means that the service provider is responsible for physical security and access controls to the infrastructure at the hypervisor layer while clients are responsible for securing everything else, including all assets running on the server instances (applications, web servers, databases, etc.). This means that clients must monitor and log all appropriate compliance-related data for this infrastructure. Get familiar with the details of your service provider’s shared responsibility model and understand how it fits into your compliance model. The good news is that most cloud providers are paying more attention to the compliance needs of their clients.
Automate or die!
Manual processes are killing compliance teams, who are typically understaffed and overworked. Sure, you can hire more people, if you have the budget and can find enough qualified candidates, but this approach won’t scale. And with the dynamic nature of elastic infrastructure, where workloads and servers can be provisioned and decommissioned in minutes (often without notice or with the knowledge of the GRC team), the compliance workload is only going to get bigger, not smaller. Unfortunately, compliance teams are trapped using manual processes, which can be a major obstacle to business agility. But until now, there’s been no alternative; the consequences of being out of compliance are severe – fines, lawsuits, shutdown of operation and loss of customers.
The question then turns to “How do I ensure compliance while still maintaining real-time, agile work flows?” Luckily, there is an emerging set of compliance automation solutions on the market today that take much of the manual process out of the equation. These solutions work in any cloud infrastructure, are focused at the workload itself and capable of ensuring compliance with hands-free, automated data collection, organization and analysis. Many of these solutions also enable security to be baked into a DevOps continuous delivery approach, ensuring that new workloads are protected from the start, empowering security teams to move at DevOps speed. By automating compliance at the individual workload, companies can alleviate much of the manual burden on compliance teams while retaining the business agility that drove them to cloud infrastructure in the first place.
Compliance in motion
Ok, so you passed the audit, now what? For most compliance organizations, the job of preparing for the next audit starts when the previous one ends, again, with lots of manual effort. However, when properly integrated with security automation solutions and DevOps methods, compliance teams can now break this pattern by adopting a strategy of compliance in motion. This means that compliance can now become a continuous process that never sleeps; your systems (especially the elastic ones that come and go on a dime) are constantly monitored, secured and all relevant activity logged in near real time. Preparing for an audit becomes much easier and your compliance team can now focus on anomalies and remediation.
Compliance and risk teams that adopt these best practices will go a long way towards helping the business realize the benefits of cloud computing models, while at the same time ensuring critical compliance objectives are met in a modern, automated, continuous cycle.