Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
09:35 AM
Sanjay Kalra
Sanjay Kalra
News Analysis-Security Now
Connect Directly
E-Mail vvv

Cloud, Compliance & the Death of the IT Checklist

For years, IT could rely on various checklists to ensure that systems and infrastructure were in compliance with various government regulations. The cloud has upended that structure, and a new, more automated approach is now needed.

For years, compliance frameworks provide guidelines for effective and secure operations. For instance, there's the Health Insurance Portability and Accountability Act (HIPPA) for healthcare and PCI for credit card transactions.

Each is written as a set of controls and they correspond to the infrastructure settings and policies that an organization must follow. In addition, these frameworks are designed to be organized in a way that is similar to a checklist: IT develops policies that define how the controls will function, and then admins need evidence that those policies have been implemented by the business.

The cloud, however, presents new problems for these neat checklists that we have spent years developing.

The cloud is essentially stateless and never really "built" in the same way that traditional IT infrastructure is constructed. A checklist approach can't provide an adequate or meaningful assessment of adherence to compliance requirements. It's an environment that is changing continuously, so your compliance also needs to be monitored continuously.

(Source: iStock)
(Source: iStock)

Scaling to meet demand and remain compliant
Cloud adoption continues at a rapid pace, partly because it's inherent flexibility and scalability translate into an economic advantage. But as cloud customers struggle to understand how to apply a new way of security for their users and workloads, they also are learning how to apply an effective compliance model to their cloud environments.

At issue for any organization is the scale and demands of compliance frameworks.

These frameworks attempt to provide structure across the entirety of the IT infrastructure, but it's simply overwhelming for any organization.

Consider that the NIST 800-53 spec is comprised of more than 2,000 separate requirements. Each requirement corresponds to some aspect of an organization's infrastructure that, if not met, could create a security vulnerability. It could also render the organization non-compliant, which could prevent it from operating with partners and customers due to a non-compliant status. Non-compliance also comes with a hefty price tag: In 2017, HIPAA fines totaled more than $20 million, with individual organizations like the Children's Medical Center of Dallas being fined $3.2 million for lack of timely action for addressing security risks.

Clearly, the issues surrounding compliance are complex, in part because the nature of the environment is ephemeral; compliance, as a discipline, tends to like things that are more binary in nature. Change is core to every advantage the organization receives with the cloud, but standards are built to address systems that are more static in nature.

Organizationally, this creates stress on already overworked teams that struggle to maintain awareness and make the necessary fixes. Even FedRAMP, which was designed for the cloud, demands significant time and resources to maintain oversight. Understaffed security teams just don't have proper visibility into what's deployed in cloud environments, who accesses it, how often it changes and who makes the changes.

Complexity is the mother of automation
But when we're operating in the cloud, we're not just talking about thousands of rules.

The numbers become exponential because each of those rules is affected every time a new API connection is made, a user is added (or removed) or a new repository is spun up. And these are only some of the examples of issues that are happening without much governance. The cloud is transparent and administration is widely delegated, so there's really no centralizing checklist by which a compliance team is able to keep tabs.

Overlooking aspects of the compliance framework is almost a de facto part of a strategy that leans heavily on hoping and praying.

It's imperative that every one of the items in a framework requires attention, but in the cloud it needs an always-on level of scrutiny. Humans alone cannot provide the level of insight and analysis required, so the first thing organizations need is an automated way to perform compliance.

Automation, coupled with a continuous approach, gives organizations coverage over each requirement in a governance framework. Tools can be deployed to specifically seek those things that need monitoring, and they can be checked against whether or not they pass the test of compliance.

Automated, continuous monitoring is the most sensical path for compliance management; it's imperative for companies that must demonstrate an effort towards compliance. Using this type of strategy, an organization is basically applying a proactive approach to identification and measurement of risk. But it's able to do it in an ongoing way as opposed to doing scheduled, periodic assessments. It provides security and governance teams with data about deployed services and security controls, and how effective they are.

A continuous approach
What's most important is clarity and the ability to take immediate action when risk is present. Organizations need to skip the checklist and instead rely on a broader perspective where they can do the following things in an automated way:

  • Insight: Compliance frameworks are written with specificity in mind. Security teams need to apply tools to identify and deliver insights about the specifics of those frameworks across applications, processes, workloads, virtual machines, containers, users, storage repositories, and everything else occurring within their cloud environment.
  • Scale: The happy problem for most organizations is that, as they grow, their footprint increases. That results in more activity and more potential for compliance controls to be compromised. Any effort they put to the task must be built to scale, otherwise, efforts to manage compliance will grow beyond their ability to handle it.
  • Cohort analysis: At scale, a cloud infrastructure can have hundreds of discrete entities performing exactly the same task. Load balancers, for example, might send tasks to multiple identical servers to reduce latency and enhance the user experience. By aggregating similar entities, a team is able to identify the true structure of your cloud implementation.
  • Baseline: Part of automation is knowing what's is and isn't acceptable behavior in the eyes of the framework. Use that within your monitoring so anomalies are detected based on their deviation from the baseline.
  • Change detection: Once a policy has been updated, it also requires some form of codification of it. Change detection enables you to make note of it.

The dynamic nature of the cloud can no longer work with a clipboard and an eager team of investigators.

Organizations that aren't using automation as part of their compliance posture have only limited visibility and put their businesses at great potential risk. With an effective multicloud strategy that uses compliance and automation, organizations can cover and protect the resources under their responsibility.

Related posts:

Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework and leads the company's overall strategy for innovation, business development, channel, strategic partnerships and customer success. Kalra has 20 years of experience in cloud, networking, analytics and security.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file