The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining an organization's compliance, especially for cloud computing, have to be think beyond adhering to lists.
Beyond being comfortable in the role of an adherent, compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms. Yet, as compliance becomes more critical because of increased cyber threats, there is an increased recognition that compliance requires an always-on, automated approach. Indeed, compliance never stops, and as needs increase, only an automated, continuous approach will help enterprises achieve their goals.
A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue is the broad footprint the cloud offers, which is also among its greatest assets. Organizations use a variety of platforms and connect and integrate applications and data through API so that data can move freely. Among other advantages, this enables enterprises to leverage the cloud as a driver of marketable differentiation.
In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem is that all that data is moving around and touching many other assets. Consequently, it’s all but impossible to maintain a real-time understanding of compliance and risk.
The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how it can be aligned with the things that make the cloud so advantageous. Organizations love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model to it. While organizations leveraging the cloud as part of their critical business infrastructure are no longer the exception to the rule, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.
One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the NIST Cybersecurity Framework has almost 400 specific requirements in it; all of which must be met at all times.
Then there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of an organization's network. All of this has to be monitored and managed. Once any part of it is out of compliance, the organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services an enterprise is running. The exponential growth can get unwieldy really fast.
Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.
Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the 11 different security domains defined in NIST SP 800-37, and in so doing, apply compliance in different ways to different technology, all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative because a continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.
At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continues to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.
Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.