Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/7/2018
09:35 AM
Sanjay Kalra
Sanjay Kalra
News Analysis-Security Now
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud, Compliance & the Death of the IT Checklist

For years, IT could rely on various checklists to ensure that systems and infrastructure were in compliance with various government regulations. The cloud has upended that structure, and a new, more automated approach is now needed.

For years, compliance frameworks provide guidelines for effective and secure operations. For instance, there's the Health Insurance Portability and Accountability Act (HIPPA) for healthcare and PCI for credit card transactions.

Each is written as a set of controls and they correspond to the infrastructure settings and policies that an organization must follow. In addition, these frameworks are designed to be organized in a way that is similar to a checklist: IT develops policies that define how the controls will function, and then admins need evidence that those policies have been implemented by the business.

The cloud, however, presents new problems for these neat checklists that we have spent years developing.

The cloud is essentially stateless and never really "built" in the same way that traditional IT infrastructure is constructed. A checklist approach can't provide an adequate or meaningful assessment of adherence to compliance requirements. It's an environment that is changing continuously, so your compliance also needs to be monitored continuously.

Scaling to meet demand and remain compliant
Cloud adoption continues at a rapid pace, partly because it's inherent flexibility and scalability translate into an economic advantage. But as cloud customers struggle to understand how to apply a new way of security for their users and workloads, they also are learning how to apply an effective compliance model to their cloud environments.

At issue for any organization is the scale and demands of compliance frameworks.

These frameworks attempt to provide structure across the entirety of the IT infrastructure, but it's simply overwhelming for any organization.

Consider that the NIST 800-53 spec is comprised of more than 2,000 separate requirements. Each requirement corresponds to some aspect of an organization's infrastructure that, if not met, could create a security vulnerability. It could also render the organization non-compliant, which could prevent it from operating with partners and customers due to a non-compliant status. Non-compliance also comes with a hefty price tag: In 2017, HIPAA fines totaled more than $20 million, with individual organizations like the Children's Medical Center of Dallas being fined $3.2 million for lack of timely action for addressing security risks.

Clearly, the issues surrounding compliance are complex, in part because the nature of the environment is ephemeral; compliance, as a discipline, tends to like things that are more binary in nature. Change is core to every advantage the organization receives with the cloud, but standards are built to address systems that are more static in nature.

Organizationally, this creates stress on already overworked teams that struggle to maintain awareness and make the necessary fixes. Even FedRAMP, which was designed for the cloud, demands significant time and resources to maintain oversight. Understaffed security teams just don't have proper visibility into what's deployed in cloud environments, who accesses it, how often it changes and who makes the changes.

Complexity is the mother of automation
But when we're operating in the cloud, we're not just talking about thousands of rules.

The numbers become exponential because each of those rules is affected every time a new API connection is made, a user is added (or removed) or a new repository is spun up. And these are only some of the examples of issues that are happening without much governance. The cloud is transparent and administration is widely delegated, so there's really no centralizing checklist by which a compliance team is able to keep tabs.

Overlooking aspects of the compliance framework is almost a de facto part of a strategy that leans heavily on hoping and praying.

It's imperative that every one of the items in a framework requires attention, but in the cloud it needs an always-on level of scrutiny. Humans alone cannot provide the level of insight and analysis required, so the first thing organizations need is an automated way to perform compliance.

Automation, coupled with a continuous approach, gives organizations coverage over each requirement in a governance framework. Tools can be deployed to specifically seek those things that need monitoring, and they can be checked against whether or not they pass the test of compliance.

Automated, continuous monitoring is the most sensical path for compliance management; it's imperative for companies that must demonstrate an effort towards compliance. Using this type of strategy, an organization is basically applying a proactive approach to identification and measurement of risk. But it's able to do it in an ongoing way as opposed to doing scheduled, periodic assessments. It provides security and governance teams with data about deployed services and security controls, and how effective they are.

A continuous approach
What's most important is clarity and the ability to take immediate action when risk is present. Organizations need to skip the checklist and instead rely on a broader perspective where they can do the following things in an automated way:

  • Insight: Compliance frameworks are written with specificity in mind. Security teams need to apply tools to identify and deliver insights about the specifics of those frameworks across applications, processes, workloads, virtual machines, containers, users, storage repositories, and everything else occurring within their cloud environment.
  • Scale: The happy problem for most organizations is that, as they grow, their footprint increases. That results in more activity and more potential for compliance controls to be compromised. Any effort they put to the task must be built to scale, otherwise, efforts to manage compliance will grow beyond their ability to handle it.
  • Cohort analysis: At scale, a cloud infrastructure can have hundreds of discrete entities performing exactly the same task. Load balancers, for example, might send tasks to multiple identical servers to reduce latency and enhance the user experience. By aggregating similar entities, a team is able to identify the true structure of your cloud implementation.
  • Baseline: Part of automation is knowing what's is and isn't acceptable behavior in the eyes of the framework. Use that within your monitoring so anomalies are detected based on their deviation from the baseline.
  • Change detection: Once a policy has been updated, it also requires some form of codification of it. Change detection enables you to make note of it.

The dynamic nature of the cloud can no longer work with a clipboard and an eager team of investigators.

Organizations that aren't using automation as part of their compliance posture have only limited visibility and put their businesses at great potential risk. With an effective multicloud strategy that uses compliance and automation, organizations can cover and protect the resources under their responsibility.

Related posts:

Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework and leads the company's overall strategy for innovation, business development, channel, strategic partnerships and customer success. Kalra has 20 years of experience in cloud, networking, analytics and security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15564
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be map...
CVE-2020-15565
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs....
CVE-2020-15566
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, o...
CVE-2020-15567
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes...
CVE-2020-15563
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM g...