Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/27/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Compliance in the Cloud Needs To Be Continuous & Automated

Complex IT environments require timely visibility into risk and compliance.

The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining an organization's compliance, especially for cloud computing, have to be think beyond adhering to lists.

Beyond being comfortable in the role of an adherent, compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms. Yet, as compliance becomes more critical because of increased cyber threats, there is an increased recognition that compliance requires an always-on, automated approach. Indeed, compliance never stops, and as needs increase, only an automated, continuous approach will help enterprises achieve their goals.

A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue is the broad footprint the cloud offers, which is also among its greatest assets. Organizations use a variety of platforms and connect and integrate applications and data through API so that data can move freely. Among other advantages, this enables enterprises to leverage the cloud as a driver of marketable differentiation.

In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem is that all that data is moving around and touching many other assets. Consequently, it’s all but impossible to maintain a real-time understanding of compliance and risk.

Image Source: Evident.io
Image Source: Evident.io

The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how it can be aligned with the things that make the cloud so advantageous. Organizations love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model to it. While organizations leveraging the cloud as part of their critical business infrastructure are no longer the exception to the rule, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.

One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the  NIST Cybersecurity Framework has almost 400 specific requirements in it; all of which must be met at all times.

Then there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of an organization's network. All of this has to be monitored and managed. Once any part of it is out of compliance, the organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services an enterprise is running. The exponential growth can get unwieldy really fast.

Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the 11 different security domains defined in NIST SP 800-37, and in so doing, apply compliance in different ways to different technology, all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative because a continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.

At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continues to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.

Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2017 | 12:09:37 AM
Re: Secure vs. compliant
@Dr. T: Absolutely.

One of my favorite examples of this that I like to use with clients is of a local hospital that (true story) has certain large trash bins throughout that are very prominently and clearly labeled as being for the disposal of documents containing HIPAA-protected information.

The problem, however, is that if I'm a bad guy, I know exactly where to look for that information. I just have to shove my arm into the bin and grab some papers and quickly dart off.

So while that's a very "compliant" thing to do, it's not at all secure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:57:44 AM
Secure vs. compliant
"enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates"

I tis good to point this out, secure does not mean compliant and vice a versa.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:55:41 AM
Re: Risk and data stewardship
"a Venn diagram of data stewardship"

Glad you mentioned this, data classification and ownership where we need to start when it comes to data security and privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:53:46 AM
Re: Great post
I agree, it is well thought and written, and very important subject at the same time. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:52:29 AM
Re: Risk and data stewardship
"compliance is just another risk factor"

Makes sense. Anything and everything is risk anymore and needs to be dealt with a proper risk management strategy which should involve automation anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:50:14 AM
continuous automation and assessment
This is certainly needed a specially based on the increased number of ransomware attacks we experience these days.
Angella14
50%
50%
Angella14,
User Rank: Apprentice
6/28/2017 | 8:49:39 AM
Great post
I truly delighted in perusing your article. I discovered this as a useful and fascinating post, so I think it is extremely valuable and proficient. I might want to thank you for the exertion you have made in composing this article.  I really thankful to you if you visit our site. https://www.promoocodes.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:15:47 AM
Risk and data stewardship
At the end of the day, compliance is just another risk factor -- particularly considering that data compliance is NOT the same thing as (and, sometimes, is the opposite thing from) data security or data privacy, respectively. It all falls into a Venn diagram of data stewardship -- and all risks must be appropriately weighed and accounted for.
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
3 Tips to Keep Cybersecurity Front & Center
Greg Kushto, Vice President of Sales Engineering at Force 3,  2/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.