Tuesday, May 21, 2019

How Are You Tackling Cloud Compliance?

How to Ensure Compliance Speed Bumps Don’t Slow Your Public Cloud Adoption


In the race to the cloud, I’ve noticed a disturbing trend. Daily, I speak to organizations that have moved production workloads over to cloud IaaS providers but haven’t yet addressed how they will manage, measure and report on regulatory compliance controls. Amid all the concerns over whether public clouds are secure, some organizations missed a critical question:

Can we demonstrate compliance without overworking our teams in the process?


It’s not surprising that it has taken an impending PCI or SOC 2 audit for SecOps and risk and compliance teams to have a reckoning about how they will measure the compliance of their cloud infrastructure. Never have so many people in an organization had the power to make changes to the infrastructure that could potentially go unchecked. To further complicate matters, traditional tools that help with compliance in the data center cannot be used in the API-centric world of the cloud. Without tools designed for the cloud, teams are forced to navigate tedious, manual processes to produce evidence of technical compliance controls across the dynamic and fast-changing cloud infrastructure. Sure, you can prove that at some point you passed the controls, but what was the situation 24 hours before or two weeks after? Point-in-time compliance just doesn’t cut it anymore.

With stories of cyber risk, cybercrime, hackers and breaches topping our news feeds each day, organizations need to be able to demonstrate an ongoing practice of managing security. Just as DevOps teams have adopted “continuous delivery” and “continuous innovation” and made them a part of the everyday IT language, “continuous security” and “continuous compliance” need to be just as frequent discussion topics.



The good news is, unlike managing compliance in traditional data centers, modern infrastructure gives us a path to addressing security and compliance programmatically and automatically. The APIs we now have available enable a whole new era of security automation. Using the APIs, you can access metadata about your infrastructure and continuously monitor and measure whether the changes that take place are introducing new risks into your environment. The introduction of new technologies specifically designed to help streamline and automate the process of security assessment and remediation for the cloud have advanced how organizations manage their security posture and compliance processes.

Using Automation to Manage Compliance


For DevOps teams, using automation to manage security means they can also manage compliance throughout the entire development lifecycle, rather than building up a backlog of compliance debt that requires remediation before delivery. The cloud has also allowed DevOps to codify both security and compliance, which helps to reduce risk by ensuring best practices are followed, and changes to infrastructure and the cloud environment adhere to their organization’s security policies.

Automation of compliance also enables teams to streamline the process of documenting and certifying the accounts, services and workloads in the cloud when the auditors come knocking. This automation can help you create an abstraction layer to protect your operations and development teams from disruption and distraction, which can also have a significant negative impact on your timelines and bottom line. With the right cloud security tools in place, you can provide auditors read-only access to compliance reports as needed, eliminating the need for team members to be in the middle of those requests.

So, while your senior management may question whether a cloud provider is FISMA-, HIPAA- or PCI-compliant, you need to raise one more issue: how will your organization demonstrate compliance running in one or more public clouds? You need to have an assurance that you will get executive support to add new tools to your arsenal that will help your team manage, assess and report on security and compliance without stopping innovation and creating detrimental workloads for your development and operations teams.

While I’m excited about the potential innovations the public cloud presents us all, I can’t help but wonder what  next year’s audits will mean for the teams that have yet to address compliance automation for their cloud environments. 

Friday, April 12, 2019

Simplifying Your Multi-Cloud Security Strategy


Simplicity is key when it comes to solving most challenges and we couldn’t agree more with Mr. Einstein. However, when it comes to simplifying your multi-cloud security strategy there are three things to keep in mind:


  1. Visibility
  2. Reducing cloud vendor lock-in
  3. Streamlining alerts and tools


Visibility


Each of the cloud vendors are rapidly maturing their native security services within their platforms. However, when it comes to anything outside their ecosystem, they have little incentive to provide the visibility your organization requires with a multi-cloud strategy. Look for security tools that are provider agnostic and support, at a minimum, Google, AWS and Azure clouds (you may even want to add Alibaba into that mix if you have a heavy Asia presence).

Reducing Cloud Vendor Lock-in


What’s the one thing all of the cloud providers want most? To keep you squarely on their platform. However when it comes to cloud security, teams must take the long view that while today Azure might be your de facto cloud platform, research shows that Google Cloud (GCP) is likely in your future (and is likely already in your environment, but that’s a topic for another post). This is why we recommend engaging with security providers whose best financial interests are not with a single cloud but rather in the most diverse set of providers.

Streamlining Alerts and Tools


Your SOC is already dealing with alert fatigue—don’t add to their stress. When conducting your cloud risk assessment ensure that requirements for integrated security platforms are included. Your SOC team should have a single platform for starting investigations of any cloud-based incident. If your team is relying mainly upon the native cloud provider tools or is attempting to build their own with open source or SIEM tools, stop! They will likely spend more time customizing these tools for the near weekly changes cloud providers make rather than focusing on reducing risk and enabling the business to quickly consume new cloud features.

Key Takeaways


When looking to simplify your multi-cloud security strategy it is critical that security executives and their teams keep visibility, reducing cloud vendor lock-in, and streamlining alerts and tools in clear focus. This is where cloud agnostic security tools such as RedLock by Palo Alto Networks can help. RedLock provides a single location where security teams can gain visibility across Google, Azure and AWS while freeing these teams from the care and feeding of homegrown, open source or native cloud provider tools.