Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/27/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Compliance in the Cloud Needs To Be Continuous & Automated

Complex IT environments require timely visibility into risk and compliance.

The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining an organization's compliance, especially for cloud computing, have to be think beyond adhering to lists.

Beyond being comfortable in the role of an adherent, compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms. Yet, as compliance becomes more critical because of increased cyber threats, there is an increased recognition that compliance requires an always-on, automated approach. Indeed, compliance never stops, and as needs increase, only an automated, continuous approach will help enterprises achieve their goals.

A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue is the broad footprint the cloud offers, which is also among its greatest assets. Organizations use a variety of platforms and connect and integrate applications and data through API so that data can move freely. Among other advantages, this enables enterprises to leverage the cloud as a driver of marketable differentiation.

In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem is that all that data is moving around and touching many other assets. Consequently, it’s all but impossible to maintain a real-time understanding of compliance and risk.

Image Source: Evident.io
Image Source: Evident.io

The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how it can be aligned with the things that make the cloud so advantageous. Organizations love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model to it. While organizations leveraging the cloud as part of their critical business infrastructure are no longer the exception to the rule, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.

One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the  NIST Cybersecurity Framework has almost 400 specific requirements in it; all of which must be met at all times.

Then there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of an organization's network. All of this has to be monitored and managed. Once any part of it is out of compliance, the organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services an enterprise is running. The exponential growth can get unwieldy really fast.

Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the 11 different security domains defined in NIST SP 800-37, and in so doing, apply compliance in different ways to different technology, all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative because a continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.

At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continues to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.

Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2017 | 12:09:37 AM
Re: Secure vs. compliant
@Dr. T: Absolutely.

One of my favorite examples of this that I like to use with clients is of a local hospital that (true story) has certain large trash bins throughout that are very prominently and clearly labeled as being for the disposal of documents containing HIPAA-protected information.

The problem, however, is that if I'm a bad guy, I know exactly where to look for that information. I just have to shove my arm into the bin and grab some papers and quickly dart off.

So while that's a very "compliant" thing to do, it's not at all secure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:57:44 AM
Secure vs. compliant
"enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates"

I tis good to point this out, secure does not mean compliant and vice a versa.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:55:41 AM
Re: Risk and data stewardship
"a Venn diagram of data stewardship"

Glad you mentioned this, data classification and ownership where we need to start when it comes to data security and privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:53:46 AM
Re: Great post
I agree, it is well thought and written, and very important subject at the same time. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:52:29 AM
Re: Risk and data stewardship
"compliance is just another risk factor"

Makes sense. Anything and everything is risk anymore and needs to be dealt with a proper risk management strategy which should involve automation anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:50:14 AM
continuous automation and assessment
This is certainly needed a specially based on the increased number of ransomware attacks we experience these days.
Angella14
50%
50%
Angella14,
User Rank: Apprentice
6/28/2017 | 8:49:39 AM
Great post
I truly delighted in perusing your article. I discovered this as a useful and fascinating post, so I think it is extremely valuable and proficient. I might want to thank you for the exertion you have made in composing this article.  I really thankful to you if you visit our site. https://www.promoocodes.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:15:47 AM
Risk and data stewardship
At the end of the day, compliance is just another risk factor -- particularly considering that data compliance is NOT the same thing as (and, sometimes, is the opposite thing from) data security or data privacy, respectively. It all falls into a Venn diagram of data stewardship -- and all risks must be appropriately weighed and accounted for.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2765
PUBLISHED: 2018-08-20
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.
CVE-2018-15594
PUBLISHED: 2018-08-20
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVE-2018-15572
PUBLISHED: 2018-08-20
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVE-2018-15573
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf...
CVE-2018-15574
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."