Achieving compliance on cloud requires perspective change

Strategizing and implementing cloud compliance with a traditional enterprise mindset is detrimental.

4 compliance
Thinkstock

As organizations continually move their workloads on cloud platforms, they need to ensure their data, workloads and processes meet compliance requirements. Traditional mindset to achieve compliance on cloud is the biggest hurdle organizations face and to overcome the same requires a perspective change.

Understanding the challenges is paramount.

Challenge #1 – Delineating responsibility in ‘shared responsibility model’ across cloud service models (IaaS, PaaS and SaaS)

Despite significant efforts from cloud providers in creating awareness of 'shared responsibility model', providing security controls and trainings, organizations still struggle to understand the same and make mistakes in delineating the responsibilities. Organizations end up with critical security gaps on their cloud assets assuming it’s the Cloud service provider’s responsibility leading to potential breaches.

Challenge #2 – Responsibility shift and varied realization of compliance mappings for different cloud service models (IaaS, PaaS, SaaS)

Compliance requirements/objectives remains the same across cloud computing layers. However, the accountability to achieve a specific requirement on a SaaS vs an IaaS platform may be completely different with one requiring the Cloud Provider to implement the same whereas other requiring the customer. For example, data at rest encryption requirement to meet compliance objectives on a SaaS platform as compared to an IaaS service has different responsibility models and implementation sets.

Challenge #3 – Enterprise focused ‘risk signatures’ and ‘compliance mappings’ do not translate/fit into cloud specifications

Organizations try to retrofit their existing enterprise security controls for assessing and meeting their compliance needs on Cloud to save on costs and time.  This leads to erroneous results and will cost more in terms of time and effort to fix the failed compliance objectives and security misconfigurations.

For example, PCI compliance mandates assigning a unique ID to each person with computer access which is a straight forward use case in a traditional enterprise. However, this specific requirement translates into several key use cases in the content of an IaaS service. A person can access IaaS resources via its management portal, APIs, Command Line or even from an end workloads via native IAM Roles.  

Challenge #4 – Security and compliance checks done at the very end in the software production lifecycle  

Traditionally security and compliance policies are documented in large and difficult to comprehend paper documents. Post software production, security officers/personnel validate the software to ensure they meet the documented policies which often fall short due to time constraints on delivery, go to market pressure and incorrect understanding of software. Security and Development team’s relationship get affected in the due process which attributes to creation of non-resilient and insecure software most of the times.

Challenge #5 – High velocity of drift management

Cloud ecosystem is ephemeral in nature leading to an extremely fast environment and making it extremely difficult to manage and track the drift. Enforcing security controls to maintain the compliance standards in a rapid changing environment is complex, requires discipline, redesign of legacy applications and can be a costly affair if not done correctly.  Always remember, meeting cloud compliance requirements is difficult, staying compliant is more.

Following are the salient ways to enable organizational changes which are instrumental in bringing a change in perspective, change in culture and eventually leading to achieving and staying compliant in a Cloud ecosystem.

Understanding of shared responsibility model across cloud service models is paramount to understand ‘responsibility shift’

Cloud providers have invested a lot in creating awareness and knowledge base articulating the responsibilities. Cloud adoption strategy should include investment in learning and training the teams about responsibility shift.

Microsoft’s shared responsibility guide and AWS Shared responsibility guide are great starting points to learn. Delineating and defining responsibilities for IaaS, PaaS and SaaS service models as early as possible is the mantra to success. Moving to Cloud does not mean organizations are off the hook to secure their workloads or data on cloud.

Shifting security and compliance checks to left

The rise in devOps adoption have significantly impacted the ways in which organizations are producing software. With this change in methodology, security and compliance controls need to shift left and not be implemented closer to production. Conversion of paper based security and compliance policies to code templates is the fundamental change, organizations should be willing to adopt.

Starting early and converting security as code is the answer to achieve compliance at cloud scale.

Automation is key to managing drift and staying compliant

Managing drift in cloud is difficult due to its ephemeral and high velocity nature.  Automation and real time enforcement of compliance policies is the mantra to stay compliant.

Automation allows organizations to enforce security policies and security controls homogenously in an ever-changing cloud ecosystem. This could further be augmented with real time enforcement of compliance policies, which is an absolute necessity to stay compliant.  In-house automation as well as products like Chef, Puppet, etc., can be used to automate and manage drift and meet compliance objectives. [Disclosure – Saviynt, my employer, is a partner of Chef Software.]

Third-party products for compliance framework mappings help in reducing complexity and expedite the process

Organizations in the regulated industries are spending significant time in defining security and compliance controls to meet the stringent and complex compliance mandates. Investments in external consultation or third party products not only expedites the process but also ensure the correctness of the mappings. Allgress RPM is a great tool with comprehensive compliance mappings in the IaaS space, which could help organizations to find the security products which would fit or meet their compliance needs. [Disclosure – Saviynt, my employer, is a partner of Allgress.]

Organizational change in culture and mindset are fundamental shift which needs to occur at the grassroots level to ensure a successful, secure and compliant cloud adoption.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report