How to Ensure Compliance Speed Bumps Don’t Slow Your Public Cloud Adoption
In the race to the cloud, I’ve noticed a disturbing trend. Daily, I speak to organizations that have moved production workloads over to cloud IaaS providers but haven’t yet addressed how they will manage, measure and report on regulatory compliance controls. Amid all the concerns over whether public clouds are secure, some organizations missed a critical question:
Can we demonstrate compliance without overworking our teams in the process?
It’s not surprising that it has taken an impending PCI or SOC 2 audit for SecOps and risk and compliance teams to have a reckoning about how they will measure the compliance of their cloud infrastructure. Never have so many people in an organization had the power to make changes to the infrastructure that could potentially go unchecked. To further complicate matters, traditional tools that help with compliance in the data center cannot be used in the API-centric world of the cloud. Without tools designed for the cloud, teams are forced to navigate tedious, manual processes to produce evidence of technical compliance controls across the dynamic and fast-changing cloud infrastructure. Sure, you can prove that at some point you passed the controls, but what was the situation 24 hours before or two weeks after? Point-in-time compliance just doesn’t cut it anymore.
With stories of cyber risk, cybercrime, hackers and breaches topping our news feeds each day, organizations need to be able to demonstrate an ongoing practice of managing security. Just as DevOps teams have adopted “continuous delivery” and “continuous innovation” and made them a part of the everyday IT language, “continuous security” and “continuous compliance” need to be just as frequent discussion topics.
The good news is, unlike managing compliance in traditional data centers, modern infrastructure gives us a path to addressing security and compliance programmatically and automatically. The APIs we now have available enable a whole new era of security automation. Using the APIs, you can access metadata about your infrastructure and continuously monitor and measure whether the changes that take place are introducing new risks into your environment. The introduction of new technologies specifically designed to help streamline and automate the process of security assessment and remediation for the cloud have advanced how organizations manage their security posture and compliance processes.
Using Automation to Manage Compliance
For DevOps teams, using automation to manage security means they can also manage compliance throughout the entire development lifecycle, rather than building up a backlog of compliance debt that requires remediation before delivery. The cloud has also allowed DevOps to codify both security and compliance, which helps to reduce risk by ensuring best practices are followed, and changes to infrastructure and the cloud environment adhere to their organization’s security policies.
Automation of compliance also enables teams to streamline the process of documenting and certifying the accounts, services and workloads in the cloud when the auditors come knocking. This automation can help you create an abstraction layer to protect your operations and development teams from disruption and distraction, which can also have a significant negative impact on your timelines and bottom line. With the right cloud security tools in place, you can provide auditors read-only access to compliance reports as needed, eliminating the need for team members to be in the middle of those requests.
So, while your senior management may question whether a cloud provider is FISMA-, HIPAA- or PCI-compliant, you need to raise one more issue: how will your organization demonstrate compliance running in one or more public clouds? You need to have an assurance that you will get executive support to add new tools to your arsenal that will help your team manage, assess and report on security and compliance without stopping innovation and creating detrimental workloads for your development and operations teams.
While I’m excited about the potential innovations the public cloud presents us all, I can’t help but wonder what next year’s audits will mean for the teams that have yet to address compliance automation for their cloud environments.
