How the cloud can cure your compliance headaches
Anyone who has ever worked in compliance can attest to the fact that it can be cumbersome and tedious. It often involves screenshots, spreadsheets, and other inefficient (and not-so-exciting) activities.
But how does cloud change traditional approaches to compliance and security? And how can maximizing the capabilities of cloud save your organization time, stress, and potential regulatory impacts for non-compliance? Let’s have a look.
What is the shared responsibility model?
One of the primary benefits for cloud consumers related to compliance is the shared responsibility model (SRM).
The shared responsibility model creates a scenario where the consumer is no longer responsible for the entirety of the security controls from their applicable frameworks. Instead, some are met by the cloud service provider (CSP), some are shared controls between the CSP and the consumer, and some are left to the consumer.
These controls can be inherited by organizations leveraging cloud service offerings. This helps tremendously, especially for SMBs (small-to-medium businesses) without robust infrastructure, IT/cybersecurity staff, and budgets.
Many of these compliance controls equate to financial investments, expenses, and resource allocations in both time and staff. By leveraging the shared responsibility model, you can lean into the CSP and take advantage of the massive investments they have made, at scale, serving thousands of customers around the world under every compliance framework imaginable.
Get the Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top terms and concepts that trip teams up. In this cloud guide, you’ll find succinct definitions of some of the most painful cloud terms.
IaaS and compliance
For example, in the Infrastructure-as-a-Service (IaaS) model, organizations no longer need to be concerned with the underlying physical infrastructure, hardware and its associated security controls.
PaaS and compliance
Taken another level higher, in Platform-as-a-Service (PaaS), organizations can utilize managed services to not only avoid being concerned with the underlying hardware, but also the operating systems, and their associated patch and update cycles, something that’s cumbersome for many organizations and exploited vulnerabilities that had patches available is a common occurrence.
SaaS and compliance
Lastly, at the Software-as-a-Service (SaaS) layer, customers don’t have to worry about infrastructure, operating systems or software development, they simply consume the available software to support their business activities. Each layer of abstraction in the consumption model comes with a tradeoff of less control, but also less responsibility, a key consideration that organizations must make based on their risk tolerance.
A customer can seek out what cloud service offerings and features align with their compliance framework(s) and utilize them as they see fit to architect solutions for their organizations. Given that most cloud data leaks and breaches we have seen in the last few years occur on the customers side of the shared responsibility model, due to customer misconfigurations, it would make sense for customers to lean in to the SRM and maximize the value the CSP offers them and instead focus on their organization’s core competencies and business activities.
State of Cloud 2021 Webinar
No one can predict the future, but we asked a panel of very smart cloud pros to try anyway. What does Jassy moving up to Amazon CEO mean for AWS? Is this the year of multi-cloud? Our lively, unfiltered panel weighs in on the year ahead in this free, on-demand webinar.
Templates and IaC simplify compliance
Large scale CSP’s such as AWS, Azure, and Google Cloud (GCP) are specifically tailoring offerings to help expedite and alleviate the compliance burden on their customers.
CSPs are producing policy document templates with cloud specific inputs, which can be taken by the consumer and populated with their organizational data in support of meeting specific compliance frameworks. This documentation is often time-consuming and strenuous and being able to leverage templates helps ease some of that burden.
In the cloud, infrastructure and architecture are quickly becoming code. This is occurring through offerings such as Azure Blueprints, AWS CloudFormation and Terraform from HashiCorp — and other CSP-agnostic options. (Snag ACG’s ultimate Terraform cheatsheet for more on that, by the way.)
Since the infrastructure and architecture is now code, which includes being version-controlled and auditable, it’s also portable.
CSPs and third parties can provide Infrastructure-as-Code (IaC) templates to quickly spin-up compliance-oriented architectures aligned with various compliance frameworks for customers to simply take, provision, and run with. This massively cuts down on the time needed to custom architect and implement environments from scratch to align with compliance security controls.
It can also help organizations without a large IT/cybersecurity expertise but that desperately need to get an architecture and environment in place to operate in, which aligns with their applicable compliance framework(s).
What is Compliance-as-Code?
Building on top of IaC is what is known as Compliance-as-Code (CaC). CaC often means defining your compliance requirements into a machine-readable language that can be automatically deployed, tested, monitored, and reported on across your entire enterprise environment.
This gives you the ability to know exactly what is occurring, what compliance deviations exist, and if taken further, automatically remediate deviations to said compliance requirements. This takes what often exists as PDF and robust policy documents and integrates them with the technology stack quickly being adopted by most organizations. This ensures a higher probability of compliance adherence, given that the requirements and controls are integrated into the codebase rather than existing in documentation that many will never go read or be familiar with.
Watch: Kubernetes + Azure, the HashiCorp way
Have you ever thought about creating a standardized way to deploy your applications securely? Using the HashiCorp stack on Azure is an excellent place to start. Check out this free, on-demand webinar to learn more!
What are reference architectures?
Adding on top of IaC templates that can quickly be provisioned by customers, AWS, Azure, and GCP are also providing reference architectures for customers to utilize as they build their own architectures, if desired.
This source of guidance is extremely valuable to customers and provides insight from hyperscale providers that have helped thousands of customers architect environments tailored to specific compliance frameworks before. These architectures often include best practices in a variety of areas such as operations, resilience, cost-optimization, and security.
As organizations increasingly adopt Continuous Integration/Continuous Deployment (CI/CD) pipelines as a means of promoting code and provisioning infrastructure, you can also integrate security scans directly into the pipeline to catch insecure configurations and compliance deviations BEFORE they ever get provisioned in the environment to begin with.
When we talk about “shifting security left,” these sorts of activities are the epitome of such a process. You mitigate the number of vulnerabilities you are scanning, tracking, and remediating if you prevent them from ever entering the environment to begin with.
APIs, on-demand assessments, and drift detection/remediation
One of the most valuable areas where cloud is breaking traditional compliance paradigms is around the topic of on-demand API-driven architectures and environments.
In traditional on-premises compliance activities, you’re often left to resort to techniques such as sampling and screenshots to both evaluate the systems being assessed and to prove that configurations and settings match compliance requirements. This is time consuming, inefficient, and most importantly doesn’t provide a full level of assurance that the environment meets the compliance controls (since you’re only sampling a subset of the environment).
In the cloud, these environments are API-driven, meaning you can constantly assess their compliance and security posture on-demand and across the full scope of the systems you’re targeting or interested in. By using services such as AWS Config or Azure Monitor/Azure Security Center, you can evaluate your resources and environment configurations for compliance with specific frameworks of your choosing.
Taken a step further, not only can you query compliance on-demand through invocations, but you can also implement notifications and auto-remediations if desired to revert non-compliant configurations back to a compliant state. This ensures that if someone was to either inadvertently or maliciously make configuration changes that change the compliance (or security posture) of your environments, you can automatically remediate those changes back to a compliant and secure state.
No more screenshots, no more sampling, and no more manual interventions to restore compliant and secure environments. Instead maximize on the use of API and event-driven architectures, coupled with automation, to ensure both compliance and security.
Given that compliance frameworks are often tied to fundamental and critical security controls, automating remediation of non-compliant resources and configurations is an excellent way to narrow the window of an attack due to a misconfiguration of vulnerable configuration.
Cloud ROI: How cloud skills generate real returns
We analyzed information from nearly 100 companies to determine the impact of a commitment to cloud maturity. In this guide, see how much value companies get when investing in cloud skills and technology.
Potential cloud compliance solutions to explore
Leading CSPs such as AWS and Azure have built robust offerings around compliance that are worth exploring, as well as emerging third-party SaaS offerings such as ByteChek, which couple diverse industry expertise and multi-cloud integrations to truly provide value to customers.
- AWS has developed what is known as Conformance Packs. These are collections of AWS Config Rules along with remediations actions, that you can easily deploy as a single entity into your AWS accounts, regions, and AWS Organizations. These are YAML templates, containing various AWS managed and custom rules and remediation actions. Templates include controls for frameworks such as CIS, DoDs emerging CMMC, FedRAMP, NIST 800-53, HIPAA, AWS’s own operational/security best-practices, and more.
- AWS also recently launched AWS Audit Manager, which helps to continuously audit AWS usage, evidence collection, and reduce manual efforts. It can utilize pre-built frameworks such as FedRAMP, GDPR, Nist 800-53, CIS Benchmarks, and more, as well as custom frameworks and controls you tailor for your individual organization’s needs. It can then be used to create audit-ready reports of your compliance.
- Azure’s Security Center has developed what is called the “Regulatory Compliance Dashboard.” This shows your compliance with selected compliance standards as well as all their associated requirements, mapped to applicable security assessments. You can not only see compliance in the UI dashboard, but you can download PDF reports documenting your current compliance posture with various frameworks such as SOC, CIS, PCI DSS, NIST 800-53, and more. You can then resolve non-compliant items to increase your compliance scoring.
- On the non-CSP side, organizations such as ByteChek are providing multi-cloud-oriented solutions. They have built a platform tailored to both the auditor and the organization being audited. It has built-in automated readiness assessments, integrations with AWS and Azure to collect security and compliance-related information from your environments, and integrates with Slack, JIRA, and other workflow platforms to make coordinating compliance processes easier. ByteChek provides a single platform that lets you build, manage, and assess your cybersecurity program and complete your SOC 2 audit, all from a single platform. ByteChek is also building out assessment capabilities for the DoD’s Cybersecurity Certification Maturity Model (CMMC), NIST 800-171, NIST CSF, NIST 800-53, HIPAA, and other compliance frameworks.
Compliance in the cloud: A new paradigm
Organizations can take advantage of these innovations to save themselves time, money, and stress. It lets them focus more on their core competencies, mission, and better serving their customers — all while leveraging cloud computing to do so.
Utilizing some of the technologies, approaches, and capabilities discussed above allows for benefits for developers and system owners, as well as auditors and compliance professionals.
On the system owner side, organizations can automate and expedite much of their architecture deployment and internal assessment activities, giving them improved visibility of their security posture and compliance.
From the auditor and compliance SME perspective, they can avoid much of the manual footwork involved when working with organizations. Rather than asking for screenshots and shoulder surfing, they instead can ask for automated reporting of compliance, leveraging either CSP-native or third-party tools as discussed.
With the increased velocity of data breaches and cybersecurity incidents, it’s likely that we’ll see MORE compliance frameworks, requirements, and rigor coming to organizations and various industries. With that reality in mind, organizations should look for ways to improve security activities and ease their compliance burden, improving security posture by leveraging innovative technologies. Utilizing the solutions mentioned above is an example of doing just that, all driven by cloud.
About the Author
Chris has nearly 15 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA) as well as time as a consultant in the private sector.
In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group.
Chris holds various industry certifications such as the CISSP/CCSP from ISC2 as well as over 8 certifications from leading Cloud Service Providers such as AWS. He regularly consults with IT and Cybersecurity leaders from various industries to assist their organizations with their Cloud migration journeys while keeping Security a core component of that transformation.
Chris currently works at Oteemo, where he serves as a Cloud Security SME for the U.S. Air Force Platform One initiative, as well as consulting with other Public and Private sector organizations on Cloud-native security best-practices, along with the rest of his Oteemo team who specialize in cloud and digital transformation acceleration.