Compliance in the Cloud: Only an Always-on, Automated Approach Will Do

Complex IT environments require timely visibility into risk and compliance, and that only happens with continuous monitoring and automation.

continuous cloud compliance automated

The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining your organization's compliance, especially for cloud computing, have to think beyond adhering to lists. It’s about more than being comfortable in the role of an adherent. Compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms.

Yet, as compliance becomes more critical – with the onslaught of cyber threats – it is increasingly recognized that compliance requires an always-on, automated approach. Let’s face it: compliance never stops. And as needs grow and escalate, only an automated, continuous approach will allow you to achieve your goals.

The risk surface deepens

A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue: the broad footprint the cloud brings to bear (which just happens to tops its greatest assets). Today’s digital enterprises use a variety of platforms and connect and integrate applications and data through APIs so that data can move freely. Among other advantages, this enables you to leverage the cloud as a driver of marketable differentiation.

In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem: all that data is moving around and touching many, many other assets. It’s all but impossible to maintain a real-time understanding of compliance and risk—important as both a preventative measure and a way to prove to stakeholders their viability as a vendor or partner.

Where there is cloud, there must be compliance

The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how oversight can be aligned with those things that make the cloud so advantageous. We all love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model. Leveraging the cloud as part of critical business infrastructure is no longer the exception to the rule. Still, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.

One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the NIST Cybersecurity Framework has almost 400 specific requirements. All of these requirements must be met at all times. Then, of course, there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of your network.

All of this has to be monitored and managed. Once any part of it falls out of compliance, your organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services you’re running; the exponential growth can become overwhelming really fast.

Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. There is a clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, you lack timely visibility into infrastructure configuration and workload risk and will have a hard time proving any form of compliance in the cloud.

Compliance demands continuous monitoring and automation

Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the eleven different security domains defined in NIST SP 800-37; and in so doing, apply compliance in different ways to different technology – all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative. A continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.

At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continue to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.

Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk; and will have a hard time proving any form of compliance in the cloud.


Copyright © 2017 IDG Communications, Inc.