For anyone who has worked in or around compliance for some time, you know the story. It is painful, inefficient, and largely a paperwork exercise without providing a real level of assurance around risk or security.
However, cloud computing is increasingly changing outdated compliance practices. In this article, we discuss some of the ways that is happening.
Shared Responsibility Model & Security Control Inheritance
One of the primary security and compliance benefits of the use of cloud computing is with the Shared Responsibility Model and security control inheritance. Depending on the cloud service model being consumed (IaaS, PaaS, or SaaS), the cloud consumer is able to inherit specific security controls, either fully or partially, from the cloud service provider. That said, it is absolutely critical that cloud consumers understand where the CSP’s responsibilities end and theirs begin, and even more importantly, that they can’t outsource accountability.
Near Real-Time Compliance Monitoring
In the days of legacy on-premise workloads and technologies, compliance often consisted of a snapshot-in-time assessment of compliance posture through a manual exercise. Adding to that deficiency, it often involves a sampling methodology due to simply being unable to manually assess the entire target environment and its associated systems. I personally have 4 kids, and this methodology reminds me of coming to check their room, only right after they clean it, and only checking if they made their bed but not looking underneath or in the closet.
That’s similar to how snapshot-in-time compliance and sampling works. Things may look “okay” in the brief moment of time they are assessed but quickly resort back to a state of chaos after the assessment. And you only see what you sampled, with unknown levels of risk likely existing outside of your sample set.
The cloud changes this through API-driven platforms and native CSP services. AWS, for example, has services such as Security Hub and Audit Manager, which perform on-demand/scheduled compliance assessments of your entire cloud footprint with things such as CIS Benchmarks, AWS-specific best practices, and leading compliance frameworks such as HIPAA, NIST, and more. Azure does something very similar with its native service Azure Security Center. It can provide automated compliance assessments of your Azure workloads, show your compliance posture and security deficiencies, and tell you what you need to address to improve your security and compliance scores. These native services are doing this in near real-time through APIs and CSP native service integrations.
Cloud-native environments are increasingly moving towards the use of Infrastructure-as-Code and subsequently Policy-as-Code (IaC/PaC) implementations. This allows the on-demand instantiation of infrastructure and service configurations with the mere execution of commands or clicks within the CSP console.
These IaC templates can have activities such as scanning performed on them, like traditional code, to look not just for syntax issues but also security and misconfiguration concerns. You can align these IaC templates with your security and compliance requirements, and you can integrate PaC tooling into CICD pipelines to ensure the IaC templates are aligning with your industry and organizational compliance requirements. These pre-hardened IaC templates can be provided across your organization to ensure your teams have libraries of common infrastructure and architecture use cases to pull from, while baking in your security and compliance requirements.
Building on the concepts of IaC/PaC, organizations are increasingly adopting DevOps practices for the use of IaC. This means shifting away from manual configuration changes in the CSP consoles and instead defining the desired environments in code, pushing them through pipelines with various tools, including for security and tracking the IaC and desired state through Git. These practices help eliminate manual toil, facilitate version control, and mitigate the dangers of configuration drift, which put your environments at risk of drifting from secure and compliant states.
A New Era of Security
It’s an often-touted trope that compliance doesn’t equal security. This is true of course—you can be compliant and experience a security incident or data breach.
That said, the need to pursue and maintain a level of compliance is a reality for business and security leaders in any regulated industry. Compliance frameworks also serve as a fundamental starting point for organizations who aren’t sure where to begin with a baseline level of security and configuration hygiene.
Utilizing CSP native tooling, IaC, and GitOps practices help facilitate this paradigm shift by moving away from manual, incomplete, and inefficient practices and ushering in a new era of security and compliance for cloud-native workloads.