Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/7/2018
09:35 AM
Sanjay Kalra
Sanjay Kalra
News Analysis-Security Now
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud, Compliance & the Death of the IT Checklist

For years, IT could rely on various checklists to ensure that systems and infrastructure were in compliance with various government regulations. The cloud has upended that structure, and a new, more automated approach is now needed.

For years, compliance frameworks provide guidelines for effective and secure operations. For instance, there's the Health Insurance Portability and Accountability Act (HIPPA) for healthcare and PCI for credit card transactions.

Each is written as a set of controls and they correspond to the infrastructure settings and policies that an organization must follow. In addition, these frameworks are designed to be organized in a way that is similar to a checklist: IT develops policies that define how the controls will function, and then admins need evidence that those policies have been implemented by the business.

The cloud, however, presents new problems for these neat checklists that we have spent years developing.

The cloud is essentially stateless and never really "built" in the same way that traditional IT infrastructure is constructed. A checklist approach can't provide an adequate or meaningful assessment of adherence to compliance requirements. It's an environment that is changing continuously, so your compliance also needs to be monitored continuously.

(Source: iStock)
(Source: iStock)

Scaling to meet demand and remain compliant
Cloud adoption continues at a rapid pace, partly because it's inherent flexibility and scalability translate into an economic advantage. But as cloud customers struggle to understand how to apply a new way of security for their users and workloads, they also are learning how to apply an effective compliance model to their cloud environments.

At issue for any organization is the scale and demands of compliance frameworks.

These frameworks attempt to provide structure across the entirety of the IT infrastructure, but it's simply overwhelming for any organization.

Consider that the NIST 800-53 spec is comprised of more than 2,000 separate requirements. Each requirement corresponds to some aspect of an organization's infrastructure that, if not met, could create a security vulnerability. It could also render the organization non-compliant, which could prevent it from operating with partners and customers due to a non-compliant status. Non-compliance also comes with a hefty price tag: In 2017, HIPAA fines totaled more than $20 million, with individual organizations like the Children's Medical Center of Dallas being fined $3.2 million for lack of timely action for addressing security risks.

Clearly, the issues surrounding compliance are complex, in part because the nature of the environment is ephemeral; compliance, as a discipline, tends to like things that are more binary in nature. Change is core to every advantage the organization receives with the cloud, but standards are built to address systems that are more static in nature.

Organizationally, this creates stress on already overworked teams that struggle to maintain awareness and make the necessary fixes. Even FedRAMP, which was designed for the cloud, demands significant time and resources to maintain oversight. Understaffed security teams just don't have proper visibility into what's deployed in cloud environments, who accesses it, how often it changes and who makes the changes.

Complexity is the mother of automation
But when we're operating in the cloud, we're not just talking about thousands of rules.

The numbers become exponential because each of those rules is affected every time a new API connection is made, a user is added (or removed) or a new repository is spun up. And these are only some of the examples of issues that are happening without much governance. The cloud is transparent and administration is widely delegated, so there's really no centralizing checklist by which a compliance team is able to keep tabs.

Overlooking aspects of the compliance framework is almost a de facto part of a strategy that leans heavily on hoping and praying.

It's imperative that every one of the items in a framework requires attention, but in the cloud it needs an always-on level of scrutiny. Humans alone cannot provide the level of insight and analysis required, so the first thing organizations need is an automated way to perform compliance.

Automation, coupled with a continuous approach, gives organizations coverage over each requirement in a governance framework. Tools can be deployed to specifically seek those things that need monitoring, and they can be checked against whether or not they pass the test of compliance.

Automated, continuous monitoring is the most sensical path for compliance management; it's imperative for companies that must demonstrate an effort towards compliance. Using this type of strategy, an organization is basically applying a proactive approach to identification and measurement of risk. But it's able to do it in an ongoing way as opposed to doing scheduled, periodic assessments. It provides security and governance teams with data about deployed services and security controls, and how effective they are.

A continuous approach
What's most important is clarity and the ability to take immediate action when risk is present. Organizations need to skip the checklist and instead rely on a broader perspective where they can do the following things in an automated way:

  • Insight: Compliance frameworks are written with specificity in mind. Security teams need to apply tools to identify and deliver insights about the specifics of those frameworks across applications, processes, workloads, virtual machines, containers, users, storage repositories, and everything else occurring within their cloud environment.
  • Scale: The happy problem for most organizations is that, as they grow, their footprint increases. That results in more activity and more potential for compliance controls to be compromised. Any effort they put to the task must be built to scale, otherwise, efforts to manage compliance will grow beyond their ability to handle it.
  • Cohort analysis: At scale, a cloud infrastructure can have hundreds of discrete entities performing exactly the same task. Load balancers, for example, might send tasks to multiple identical servers to reduce latency and enhance the user experience. By aggregating similar entities, a team is able to identify the true structure of your cloud implementation.
  • Baseline: Part of automation is knowing what's is and isn't acceptable behavior in the eyes of the framework. Use that within your monitoring so anomalies are detected based on their deviation from the baseline.
  • Change detection: Once a policy has been updated, it also requires some form of codification of it. Change detection enables you to make note of it.

The dynamic nature of the cloud can no longer work with a clipboard and an eager team of investigators.

Organizations that aren't using automation as part of their compliance posture have only limited visibility and put their businesses at great potential risk. With an effective multicloud strategy that uses compliance and automation, organizations can cover and protect the resources under their responsibility.

Related posts:

Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework and leads the company's overall strategy for innovation, business development, channel, strategic partnerships and customer success. Kalra has 20 years of experience in cloud, networking, analytics and security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177