The cloud has exploded. With how the Software-as-a-Service (SaaS) market has grown, organizations or major programs that are fully built on top of cloud services can begin. This is typically what the term “cloud native” implies — from the beginning, all cloud. The potential benefits to compliance and governance efforts in these environments are exciting and worth deep investigation for organizations leveraging the cloud.
One of the chief reasons, I believe, that this benefit exists is not because some organization is magically handling a lot of the compliance work but rather because more of the technology stack is accessible programmatically. This article will explore three of the areas of cloud compliance that I am most excited about.
Access Control and Permissions
Permission sprawl can be a real problem in organizations. Add multiple cloud services that are being quickly provisioned and utilized and the problem can exacerbate fast. Infrastructure service providers (e.g., AWS, Azure, and GCP) all permit programmatic access to their IAM resources to determine exactly who (or what) has access to what. This has led to some exciting solutions being built out that combine time series monitoring with IAM; what’s actually being used and when.
These solutions enable security teams to dynamically modify permissions that are assigned to humans and systems to remove that which is not needed. This is a big step forward to make firm, data-driven attestations about least privilege in a compliance setting.
Almost every piece of software running in an environment needs to be configured to make sure it’s secure. Cloud environments encourage programmatic resource provisioning over clicking around in a UI to configure things. However, even in a declarative state, configuration isn’t always perfect. Having the ability to query the configuration state of a cloud resource is foundational to compliance in the cloud. This continues to mature in the Infrastructure-as-a-Service (IaaS) space with native solutions, like AWS Audit Manager and Security Hub, for example.
I am increasingly excited at the emergence of solutions that enable configuration reviews against Platform- and Software-as-a-Service (PaaS and SaaS) solutions. As these solutions handle bigger percentages of an organization’s workload, especially in a cloud native organization, continuous monitoring is a powerful capability.
Configuration reviews intersecting with compliance framework and control mapping is not only a substantial security benefit but it can streamline audit preparation and execution.
One of the biggest problems with policy, especially in fast-moving environments, is that it gets written and then never looked at. That is until it comes time to do an annual review as part of a compliance exercise.
Policy is important, though. It is the foundation upon which everything else should be built. When a solution enables policy to be codified and built into the way a cloud environment can be used (or not used) it comes alive in a powerful way. Deploying a resource that needs to be used for storing data? It needs to be encrypted. Deploying a server and need SSH access to it? It can’t be accessed publicly, only through a VPN or bastion.
Policy guardrails allow policy to be expressed in a way that can be enforced in real time before a deviation can occur. The challenge then becomes seeking and pushing the boundaries on what controls and aspects of policy and compliance frameworks can be codified into a guardrail.
When you look at the various controls that are outlined in a given compliance framework — monitoring, IAM, disaster recovery, authentication, and so on — you’ll find that there are many possibilities to streamline. Not all controls can be expressed in terms of an automated or verifiable test, but many can. Not all controls need to be verified in the same way, either. Some are effectively expressed as a guardrail, while others may be better suited to continuous configuration assessments.
This is where creativity comes into play, enabling us to explore the best way to leverage the technology capabilities available to us. This is also where the quest toward easier compliance in the cloud can make significant improvements to your overall security posture.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: