Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/27/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Compliance in the Cloud Needs To Be Continuous & Automated

Complex IT environments require timely visibility into risk and compliance.

The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining an organization's compliance, especially for cloud computing, have to be think beyond adhering to lists.

Beyond being comfortable in the role of an adherent, compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms. Yet, as compliance becomes more critical because of increased cyber threats, there is an increased recognition that compliance requires an always-on, automated approach. Indeed, compliance never stops, and as needs increase, only an automated, continuous approach will help enterprises achieve their goals.

A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue is the broad footprint the cloud offers, which is also among its greatest assets. Organizations use a variety of platforms and connect and integrate applications and data through API so that data can move freely. Among other advantages, this enables enterprises to leverage the cloud as a driver of marketable differentiation.

In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem is that all that data is moving around and touching many other assets. Consequently, it’s all but impossible to maintain a real-time understanding of compliance and risk.

Image Source: Evident.io
Image Source: Evident.io

The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how it can be aligned with the things that make the cloud so advantageous. Organizations love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model to it. While organizations leveraging the cloud as part of their critical business infrastructure are no longer the exception to the rule, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.

One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the  NIST Cybersecurity Framework has almost 400 specific requirements in it; all of which must be met at all times.

Then there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of an organization's network. All of this has to be monitored and managed. Once any part of it is out of compliance, the organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services an enterprise is running. The exponential growth can get unwieldy really fast.

Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the 11 different security domains defined in NIST SP 800-37, and in so doing, apply compliance in different ways to different technology, all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative because a continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.

At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continues to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.

Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2017 | 12:09:37 AM
Re: Secure vs. compliant
@Dr. T: Absolutely.

One of my favorite examples of this that I like to use with clients is of a local hospital that (true story) has certain large trash bins throughout that are very prominently and clearly labeled as being for the disposal of documents containing HIPAA-protected information.

The problem, however, is that if I'm a bad guy, I know exactly where to look for that information. I just have to shove my arm into the bin and grab some papers and quickly dart off.

So while that's a very "compliant" thing to do, it's not at all secure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:57:44 AM
Secure vs. compliant
"enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates"

I tis good to point this out, secure does not mean compliant and vice a versa.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:55:41 AM
Re: Risk and data stewardship
"a Venn diagram of data stewardship"

Glad you mentioned this, data classification and ownership where we need to start when it comes to data security and privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:53:46 AM
Re: Great post
I agree, it is well thought and written, and very important subject at the same time. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:52:29 AM
Re: Risk and data stewardship
"compliance is just another risk factor"

Makes sense. Anything and everything is risk anymore and needs to be dealt with a proper risk management strategy which should involve automation anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:50:14 AM
continuous automation and assessment
This is certainly needed a specially based on the increased number of ransomware attacks we experience these days.
Angella14
50%
50%
Angella14,
User Rank: Apprentice
6/28/2017 | 8:49:39 AM
Great post
I truly delighted in perusing your article. I discovered this as a useful and fascinating post, so I think it is extremely valuable and proficient. I might want to thank you for the exertion you have made in composing this article.  I really thankful to you if you visit our site. https://www.promoocodes.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:15:47 AM
Risk and data stewardship
At the end of the day, compliance is just another risk factor -- particularly considering that data compliance is NOT the same thing as (and, sometimes, is the opposite thing from) data security or data privacy, respectively. It all falls into a Venn diagram of data stewardship -- and all risks must be appropriately weighed and accounted for.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...