This is a guest post, the opinions and thoughts expressed are those of the author and do not reflect on Techaeris. The author’s full bio is located at the end of this article.
Strategizing cloud compliance with a traditional enterprise mindset is detrimental for all organizations.
As organizations continually move their workloads on cloud platforms, they need to ensure their data, workloads, and processes meet compliance requirements. The traditional mindset to achieve compliance on cloud is the biggest hurdle organizations face and to overcome requires a perspective change and understanding the challenges is paramount to achieve what is needed.
Here are some challenges that companies face and I will share some of my insights to explain how to tackle the hurdles.
Delineating responsibility in ‘Shared Responsibility Model’ across Cloud Service Models (IaaS, PaaS and SaaS)
Despite significant efforts from cloud providers in creating awareness of a shared responsibility model, providing security controls and training, organizations still struggle to understand the ‘Shared Security Model’ and make mistakes in delineating the responsibilities. Organizations end up with critical security gaps on their cloud assets assuming it’s the Cloud service provider’s responsibility leading to potential breaches.
Responsibility shift and varied realization of compliance mappings for different cloud service models (IaaS, PaaS, SaaS)
Compliance requirements/objectives remain the same across cloud computing layers. However, the accountability to achieve a specific requirement on a SaaS vs an IaaS platform may be completely different with one requiring the Cloud Provider to implement the same whereas others require the customer.
For example, data at rest encryption requires meeting compliance objectives on a SaaS platform as compared to an IaaS service that has different responsibility models and implementation sets.
Enterprise focused ‘risk signatures’ and ‘compliance mappings’ do not translate/fit into Cloud specifications
Organizations try to retrofit their existing enterprise security controls for assessing and meeting their compliance needs on Cloud to save on costs and time. This leads to erroneous results and will cost more in terms of time and effort to fix the failed compliance objectives and security misconfigurations.
For example, PCI compliance mandates assigning a unique ID to each person with computer access which is a straightforward use case in a traditional enterprise. However, this specific requirement translates into several key use cases in the content of an IaaS service. A person can access IaaS resources via its management portal, APIs, Command Line or even from an end workload via native IAM Roles.
Security and Compliance checks are done at the very end in the software production lifecycle
Traditionally security and compliance policies are documented in large and difficult to comprehend paper documents. Post software production, security officers/personnel validate the software to ensure they meet the documented policies which often fall short due to time constraints on delivery, go to market pressure and incorrect understanding of the software. The security and Development team’s relationship gets affected in the due process which attributes to the creation of non-resilient and insecure software most of the time.
High Velocity of drift management
The cloud ecosystem is ephemeral in nature, leading to an extremely fast environment and making it extremely difficult to manage and track the drift. Enforcing security controls to maintain the compliance standards in a rapidly changing environment is complex, requires discipline, redesign of legacy applications and can be a costly affair if not done correctly. Always remember that meeting cloud compliance requirements is difficult, staying compliant is more.
The following are the salient ways to enable organizational changes which are instrumental in bringing a change in perspective, change in culture and eventually leading to achieving and staying compliant in a Cloud ecosystem.
Understanding of Shared Responsibility Model across cloud service models is paramount to understand ‘Responsibility Shift’
Cloud providers have invested a lot in creating awareness and a knowledge base articulating their responsibilities. Cloud adoption strategy should include investment in learning and training the teams about responsibility shift.
Microsoft’s shared responsibility guide and AWS Shared responsibility guide are great starting points to learn. Delineating and defining responsibilities for IaaS, PaaS and SaaS service models as early as possible is the mantra to success. Moving to Cloud does not mean organizations are off the hook to secure their workloads or data on cloud.
Shifting security and compliance checks to left
The rise in devOps adoption has significantly impacted the ways in which organizations are producing software. With this change in methodology, security and compliance controls need to shift left and not be implemented closer to production. Conversion of paper-based security and compliance policies to code templates is the fundamental change, organizations should be willing to adopt.
Starting early and converting security as code is the answer to achieve compliance at cloud scale.
Automation is key to managing drift and staying compliant
Managing drift in Cloud is difficult due to its ephemeral and high-velocity nature. Automation and real-time enforcement of compliance policies is the mantra to stay compliant.
Automation allows organizations to enforce security policies and security controls homogeneously in an ever-changing cloud ecosystem. This could further be augmented with real-time enforcement of compliance policies, which is an absolute necessity to stay compliant. In-house automation as well as products like Chef, Puppet, etc. can be used to automate and manage drift and meet compliance objectives (disclosure – Saviynt is a partner of Chef Software)
Third-party products for compliance framework mappings help in reducing complexity and expedite the process
Organizations in the regulated industries are spending significant time in defining security and compliance controls to meet the stringent and complex compliance mandates. Investments in external consultation or third party products not only expedite the process but also ensure the correctness of the mappings.
Organizational change in culture and mindset are fundamental shifts, which needs to occur at the grassroots level to ensure a successful, secure and compliant cloud adoption and can make a huge difference in your organization’s compliance fulfillment.
About the Author: As Saviynt’s Chief Cloud Officer, Vibhuti Sinha, is the owner of Saviynt’s cloud platform and products of Saviynt (www.saviynt.com ) As the owner of Saviynt’s cloud platform, he is responsible to deliver Saviynt’s IGA and cloud security offerings as services to its customers across the globe. He is also responsible for the strategy and innovation of products to secure various cloud providers, cloud applications and platforms. He has 16+ years of experience in defining security vision and roadmap, building security solutions, defining IAM strategy and implementing large scale security platforms for Fortune 500 organizations.