Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/27/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Compliance in the Cloud Needs To Be Continuous & Automated

Complex IT environments require timely visibility into risk and compliance.

The discipline of compliance may look like an ideal job for checklist fetishists, but those responsible for maintaining an organization's compliance, especially for cloud computing, have to be think beyond adhering to lists.

Beyond being comfortable in the role of an adherent, compliance experts have to develop, manage, and adapt wide ranging plans, and manage teams of different roles, to ensure compliance in its many forms. Yet, as compliance becomes more critical because of increased cyber threats, there is an increased recognition that compliance requires an always-on, automated approach. Indeed, compliance never stops, and as needs increase, only an automated, continuous approach will help enterprises achieve their goals.

A variety of high profile data breaches over the past few years have highlighted the complexity involved with securing modern IT environments. At issue is the broad footprint the cloud offers, which is also among its greatest assets. Organizations use a variety of platforms and connect and integrate applications and data through API so that data can move freely. Among other advantages, this enables enterprises to leverage the cloud as a driver of marketable differentiation.

In this type of environment, enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates. The problem is that all that data is moving around and touching many other assets. Consequently, it’s all but impossible to maintain a real-time understanding of compliance and risk.

The rapid rise of the cloud as a computing platform has generated an increased focus on compliance, and how it can be aligned with the things that make the cloud so advantageous. Organizations love and appreciate the economics, flexibility, and scalability of the cloud, but there are lingering questions about how to apply a compliance model to it. While organizations leveraging the cloud as part of their critical business infrastructure are no longer the exception to the rule, many security practitioners today are still trying to fully grasp the unique differences and requirements for compliance.

One of the biggest issues is size. Compliance frameworks themselves cover a vast array of elements; the NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells, while the  NIST Cybersecurity Framework has almost 400 specific requirements in it; all of which must be met at all times.

Then there is the job of laying these compliance elements over environments that grow at an unwieldy pace. Every new integration and API connection creates new sets of data, more actors, and an increase in traffic into and out of an organization's network. All of this has to be monitored and managed. Once any part of it is out of compliance, the organization is vulnerable to attack. Additionally, compliance checks are multiplied by the number of accounts and services an enterprise is running. The exponential growth can get unwieldy really fast.

Clarity is another problem that can be dealt with through continuous and automated compliance. IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

Continuous monitoring provides a flexible framework for covering multiple layers and types of technologies. For example, with a continuous compliance platform you are able to cover the 11 different security domains defined in NIST SP 800-37, and in so doing, apply compliance in different ways to different technology, all in an effort to monitor various aspects of the same system. This is not just an advantage anymore; it's an imperative because a continuous approach is really the only way to cover all layers of your cloud stack and the different reaches of your cloud footprint.

At the most basic level, continuous monitoring entails the process of proactively identifying and measuring risks posed to critical systems and data on an ongoing basis rather than through periodic assessment. In the context of the cloud, continuous monitoring is perhaps best defined as frequent testing to determine if the configuration of deployed services and security controls continues to be effective over time—with a focus on identifying changes that increase risk. In a continuous monitoring framework, security practitioners must repeatedly test their cloud deployments to determine if change has created new or additional risk.

Without continuous automation and assessment, organizations lack timeless visibility into infrastructure configuration and workload risk, and will have a hard time proving any form of compliance in the cloud.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ...
View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2017 | 12:09:37 AM
Re: Secure vs. compliant
@Dr. T: Absolutely.

One of my favorite examples of this that I like to use with clients is of a local hospital that (true story) has certain large trash bins throughout that are very prominently and clearly labeled as being for the disposal of documents containing HIPAA-protected information.

The problem, however, is that if I'm a bad guy, I know exactly where to look for that information. I just have to shove my arm into the bin and grab some papers and quickly dart off.

So while that's a very "compliant" thing to do, it's not at all secure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:57:44 AM
Secure vs. compliant
"enterprises are scrambling not only to remain secure, but to be compliant with industry, government, and other regulatory mandates"

I tis good to point this out, secure does not mean compliant and vice a versa.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:55:41 AM
Re: Risk and data stewardship
"a Venn diagram of data stewardship"

Glad you mentioned this, data classification and ownership where we need to start when it comes to data security and privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:53:46 AM
Re: Great post
I agree, it is well thought and written, and very important subject at the same time. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:52:29 AM
Re: Risk and data stewardship
"compliance is just another risk factor"

Makes sense. Anything and everything is risk anymore and needs to be dealt with a proper risk management strategy which should involve automation anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/28/2017 | 10:50:14 AM
continuous automation and assessment
This is certainly needed a specially based on the increased number of ransomware attacks we experience these days.
Angella14
50%
50%
Angella14,
User Rank: Apprentice
6/28/2017 | 8:49:39 AM
Great post
I truly delighted in perusing your article. I discovered this as a useful and fascinating post, so I think it is extremely valuable and proficient. I might want to thank you for the exertion you have made in composing this article.  I really thankful to you if you visit our site. https://www.promoocodes.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:15:47 AM
Risk and data stewardship
At the end of the day, compliance is just another risk factor -- particularly considering that data compliance is NOT the same thing as (and, sometimes, is the opposite thing from) data security or data privacy, respectively. It all falls into a Venn diagram of data stewardship -- and all risks must be appropriately weighed and accounted for.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.