Managing Cloud Compliance and Security Posture
Why compliance and access security in the public cloud are so challenging – and how carefully chosen CSPM tools can help
Security and compliance practitioners in organizations running workloads in the public cloud face many challenges in managing compliance. Advanced Cloud Security Posture Management (CSPM) tools can help provide visibility, monitoring and auditing capabilities based on policies, all in an automated manner. In this post, we’ll look at compliance and access security challenges in the cloud and how to find the optimal CSPM tool for your use.
The Challenges of Compliance in the Cloud
The cloud has made applications and data more accessible for users and customers but, for the professionals doing the heavy lifting, made work more complex. From DevOps who are developing and maintaining cloud environments, to developers pushing code to production without visibility and all the way to security people who need to protect a distributed architecture with thousands of assets and digital identities, the cloud has posed new challenges.
This is also the case for compliance officers. Being responsible for compliance requires great attention to detail, a focus on process and a strong understanding of regulations and guidelines.
In the cloud, meeting these compliance requirements has become harder because cloud environments are very complex. They are made up of thousands of components and services that are globally dispersed and interconnected in diverse ways. The architecture itself is seldom entirely visible and is ever changing, making it even more laborious to identify compliance issues like misconfigurations or poor access management.
In addition, being able to identify and alert about regulatory issues requires an understanding of how these convoluted cloud technologies were developed and how they perform. This skill set is lacking in the job market today, making it hard for compliance officers to get the training, assistance and support they need when running audits, or reviewing processes and procedures.
For example, in a recent lawsuit cryptocurrency company StakeHound claimed that Fireblocks, a developer of cross-enterprise asset transfer infrastructure, was negligent in causing ~$75 million of lost crypto assets. The crypto company accused Fireblocks of not properly backing up private keys for digital wallets. In turn, the infrastructure developer claimed the keys were not properly backed up by a third-party as instructed. Data backup is a compliance requirement yet backups in the cloud differ from on-prem backups. In this case, the result was a severe financial loss and probably more repercussions to the entities involved.
The main challenge of compliance officers may in fact lie with the regulating bodies. Many compliance regulations were initially designed for on-premises environments. SOC 2, for example, began its history in the 1970s and was updated in the decades thereafter. Explaining the differences between cloud and on-premises to regulators is not easy due to the complexity of cloud infrastructure and lack of technological know-how by some compliance officers. Above all, the industry has no sufficient alternatives: there are not enough tools that can demonstrate how a cloud organization is being compliant. Which brings us to the next point.
The on-premises compliance ecosystem is brimming with professionals, platforms, consultation services and online resources designed to help businesses and compliance officers navigate through the hefty requirements. But for the cloud, the number and scope of resources are not so abundant. CSPM (Cloud Security Posture Management) and other solutions, such as compliance for Kubernetes evenironments, are being developed to address this gap, but their market penetration is far and few. This is expected to change since the cloud is still fairly new. But regulators and auditors won’t wait until then, and compliance officers and professionals need to find another way to get help, today.
Finally, in the cloud, credentials are the number one attack vector. Therefore, the issue of identity and access management (IAM) security to be addressed by compliance professionals when searching for regulation breaches and demonstrating compliance. But securing access and permissions, let alone report on it for audits, is not easy – and highlights the importance of navigating cloud security posture with deep discovery of identities and access. Sidestepping understanding identity and access based risk will provide a false view of your cloud security posture and true compliance status.
It Wasn’t That Easy Before the Cloud
Let’s be honest, being compliant even before the cloud was not easy, either. Compliance regulations are not a step-by-step plan. Rather, they describe an ideal end-state, and it’s up to the business and the auditors to figure out how to demonstrate compliance.
In addition, compliance officers don’t always have a seat at the table and are often left out of strategic discussions on business decisions that affect compliance. As a result, they are left to execute with little influence.
These challenges do not disappear with cloud architecture. If anything, they are intensified due to the complexities described above.
Finding Solutions for Compliance
The burden of compliance falls on the shoulders of compliance officers and stakeholders. What can they do?
Tip #1: Get Guidance and Help From External Consultants
1+1=3. Get assistance from experts who have been around the block in building practical steps for demonstrating cloud compliance. Start at the drawing board, identifying what needs to be audited, proceed to how and then end with the actual audit and analysis of results.
Tip #2: Get the Organization on Board
You may be in charge of compliance but being compliant is in the organization’s best interests. Legal and monetary ramifications could affect IPOs, M&As and the bottom line. Evangelize internally with leadership, security and engineering. Train them in compliance requirements so they can help you identify potential regulatory pitfalls and how to close the gap.
Tip #3: Find Technological Tools That Can Help
We used to rage against the machine. Now we need machines to take away the tasks we hate so we’re free for more quality work. A CSPM tool uses automation and templates to identify how the cloud environment is implementing policies that correlate with compliance regulations. Some tools can also auto-remediate in case of deviations and help the organization immediately improve its compliance posture. The bottom line: a good CSPM tool can make compliance easier.
CSPM and Beyond: How to Find the Right Tool
A high quality CSPM tool can relieve a lot of the compliance-related work from you while hardening the organization’s compliance with all relevant industry regulations. An ideal solution will encompass the following capabilities:
- Broad and Relevant Regulation Scope - Covers a broad range of security best practices, and leading industry and compliance standards. These include CIS, GDPR, HIPAA, ISO, NIST, PCI, SOC 2, CIS for Kubernetes and others. Make sure the regulations you need are included in the platform’s provided templates and policies.
- Compliance-Cloud Correlation - Maps each standard to specific cloud configuration, cloud security and cloud activity policies while providing a clear inventory of compliance status per asset/account. For example, a publicly exposed Lambda service might be breaching CSA, ISO NIST, and other compliance regulations and guidelines.
- Continuous Monitoring - Constantly checks the entire environment against the policies to ensure compliance, and identify deviations and anomalies. The status of compliance should be visible to you and any stakeholder at any given point and without waiting for strenuous compliance audits.
- Customization - Lets you create proprietary standards and policies on top of government regulations.
- Audit Reports - Helps you demonstrate compliance to auditors through visibility and flexible reporting for all organizational levels (e.g., entire organizations, specific accounts, specific projects), allowing to generate compliance reports for internal and external auditors. Ideally, your CSPM solution is one that auditors know and trust.
- Automation - Monitors, identifies, alerts and auto-remediates misconfigurations. Compliance teams are often strapped for resources and automation can help them focus.
- Identity-related and access management related detection - Includes monitoring and remediation of access management guidelines, with permissions-related monitoring, for the public cloud’s unique security needs and as required by various guidelines. This capability is offered by some CSPM vendors.
Compliance Officers Working in Cloud Environments: What’s Next?
Achieving compliance in the cloud starts with translating compliance guidelines to the reality of cloud architecture. Understanding which cloud assets you have, the types of vulnerabilities they’re susceptible to and how these are related to auditing guidelines is essential for enabling the ongoing compliance work of monitoring, reporting and fixing. Once you have that mapping, you can proceed to automated monitoring based on compliance or customized policies. Finally, you can generate an automated report that helps demonstrate your compliance to auditors.
Platforms exist today that combine robust CSPM and other capabilities for automating these processes, bridging the technological and manual gaps that come with compliance audit – and preventing cloud data breaches that would adversely impact compliance and the entire organization. These will free you up to focus on higher quality work like investigation, guiding the process and internal evangelism.