Developing a Security-First Model for Cloud Compliance
August 21, 2019
Compliance looks for proof that organizations do what they say they do. Security requirements come in many forms beginning with your organization’s own information security policy. Your security policy should align with your organization’s business objectives and reflect your specific infrastructure and services. Compliance with internal security policy can be assessed through internal security reviews and any discovered exceptions should be appropriately managed.
Beyond the security requirements defined by your internal security policy your organization may be subject to external security requirements as well. Most of these security requirements come in the form of third-party audits and assessments. Some of these assessments may be elective, for example the International Standards Organization (ISO) 27001, the Service Organization Control (SOC) 1 and SOC 2, and the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program.
There are many other sources of security requirements as well, and every organization must determine which programs apply depending on their services provided and jurisdiction. Ensuring compliance with multiple sources of security requirements can be challenging, but in many cases the requirements overlap which means a single control can meet the security requirements of multiple standards. You may find that the specificity of the requirement or how each standard or law organizes requirements might vary, but often the overall intent is similar.
Security and compliance managers in enterprises of all sizes across all industries have discovered that by taking a security-first approach in the cloud, they can achieve a state of continuous compliance, thereby lowering costs, minimizing risk and reducing complexity.
Cloud environments can change very quickly, which means they are usually in constant flux, moving in and out of compliance. The security-first model focuses on continuous monitoring and management of cloud security risks and threats, leveraging modern tools and automation techniques to ensure that, at all times, the organization is:
- Monitoring security threats through real-time discovery.
- Understanding these threats through deep insights.
- Acting on threats through automated policies, processes and controls.
- Measuring security and compliance results through robust reporting capabilities.
By using a platform that allows the continuous monitoring and management of security in the cloud against policy, IT and security teams will have greater assurance that the organization will be compliant within the required frameworks. Benefits of this model are:
- Compiling a complete, unified view across all cloud accounts.
- Generating compliance reports without the need for specialized knowledge.
- Identifying, prioritizing and remediating compliance risks as they arise.
- Monitoring compliance throughout the entire development lifecycle.
- Avoiding events that disrupt DevOps teams with last-minute fire drills to meet compliance requirements.
- Demonstrating to auditors that the organization is managing security 24/7/365—not just in the last few weeks before the audit.
In order to successfully meet your security requirements and compliance obligations, you must define and implement appropriate technical and administrative controls that map to and meet these requirements. For each control, identify the owner and performer, define how the control should operate and what makes it effective and, lastly, what evidence is needed to show that it is operating effectively. Evidence can be derived through anomaly detection that identifies and alerts on behavioral discrepancies within an environment. That type of approach is woven into the compliance methodology, and teams can demonstrate the effectiveness of the remediation through rapid and continuous updates that prevent non-compliance. Using the right approach and solution to automate repeatable, quantitative assessments is helpful to show trends and, ideally, improve control effectiveness over time.
Automation also helps those in the organization who are responsible for compliance and DevOps. Compliance can respond faster to third-party security audits, thus making security a competitive differentiator. Development teams don’t get bogged down once a year to stop projects for audits.
Managing compliance in the cloud is a lot different than managing it on- premises. In the cloud, there are points at which IT loses visibility and control. In addition, the environment is constantly in flux, with a wide range of individuals capable of making changes at any time. It can be exceedingly complex, and even the most expert teams can have problems if they don’t have the right solution in place.
Fortunately, there are modern security platforms that have been designed specifically to meet the challenges of public cloud environments. With a modern approach, organizations can take advantage of a security-first model that enables continuous visibility through automation. This will not only strengthen security; it will provide compliance and DevOps teams with the tools and processes they need to successfully meet the requirements of the cloud era.
Photo by Dan Gold on Unsplash