Cloud, Compliance & the Death of the IT Checklist

For years, compliance frameworks provide guidelines for effective and secure operations. For instance, there's the Health Insurance Portability and Accountability Act (HIPPA) for healthcare and PCI for credit card transactions.

Each is written as a set of controls and they correspond to the infrastructure settings and policies that an organization must follow. In addition, these frameworks are designed to be organized in a way that is similar to a checklist: IT develops policies that define how the controls will function, and then admins need evidence that those policies have been implemented by the business.

The cloud, however, presents new problems for these neat checklists that we have spent years developing.

The cloud is essentially stateless and never really "built" in the same way that traditional IT infrastructure is constructed. A checklist approach can't provide an adequate or meaningful assessment of adherence to compliance requirements. It's an environment that is changing continuously, so your compliance also needs to be monitored continuously.

(Source: iStock)

Scaling to meet demand and remain compliant
Cloud adoption continues at a rapid pace, partly because it's inherent flexibility and scalability translate into an economic advantage. But as cloud customers struggle to understand how to apply a new way of security for their users and workloads, they also are learning how to apply an effective compliance model to their cloud environments.

At issue for any organization is the scale and demands of compliance frameworks.

These frameworks attempt to provide structure across the entirety of the IT infrastructure, but it's simply overwhelming for any organization.

Consider that the NIST 800-53 spec is comprised of more than 2,000 separate requirements. Each requirement corresponds to some aspect of an organization's infrastructure that, if not met, could create a security vulnerability. It could also render the organization non-compliant, which could prevent it from operating with partners and customers due to a non-compliant status. Non-compliance also comes with a hefty price tag: In 2017, HIPAA fines totaled more than $20 million, with individual organizations like the Children's Medical Center of Dallas being fined $3.2 million for lack of timely action for addressing security risks.

Clearly, the issues surrounding compliance are complex, in part because the nature of the environment is ephemeral; compliance, as a discipline, tends to like things that are more binary in nature. Change is core to every advantage the organization receives with the cloud, but standards are built to address systems that are more static in nature.

Organizationally, this creates stress on already overworked teams that struggle to maintain awareness and make the necessary fixes. Even FedRAMP, which was designed for the cloud, demands significant time and resources to maintain oversight. Understaffed security teams just don't have proper visibility into what's deployed in cloud environments, who accesses it, how often it changes and who makes the changes.

Complexity is the mother of automation
But when we're operating in the cloud, we're not just talking about thousands of rules.

The numbers become exponential because each of those rules is affected every time a new API connection is made, a user is added (or removed) or a new repository is spun up. And these are only some of the examples of issues that are happening without much governance. The cloud is transparent and administration is widely delegated, so there's really no centralizing checklist by which a compliance team is able to keep tabs.

Overlooking aspects of the compliance framework is almost a de facto part of a strategy that leans heavily on hoping and praying.

It's imperative that every one of the items in a framework requires attention, but in the cloud it needs an always-on level of scrutiny. Humans alone cannot provide the level of insight and analysis required, so the first thing organizations need is an automated way to perform compliance.

Automation, coupled with a continuous approach, gives organizations coverage over each requirement in a governance framework. Tools can be deployed to specifically seek those things that need monitoring, and they can be checked against whether or not they pass the test of compliance.

Automated, continuous monitoring is the most sensical path for compliance management; it's imperative for companies that must demonstrate an effort towards compliance. Using this type of strategy, an organization is basically applying a proactive approach to identification and measurement of risk. But it's able to do it in an ongoing way as opposed to doing scheduled, periodic assessments. It provides security and governance teams with data about deployed services and security controls, and how effective they are.

A continuous approach
What's most important is clarity and the ability to take immediate action when risk is present. Organizations need to skip the checklist and instead rely on a broader perspective where they can do the following things in an automated way:

The dynamic nature of the cloud can no longer work with a clipboard and an eager team of investigators.

Organizations that aren't using automation as part of their compliance posture have only limited visibility and put their businesses at great potential risk. With an effective multicloud strategy that uses compliance and automation, organizations can cover and protect the resources under their responsibility.

Related posts:

— Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework and leads the company's overall strategy for innovation, business development, channel, strategic partnerships and customer success. Kalra has 20 years of experience in cloud, networking, analytics and security.