The challenges of compliance in the cloud

The cloud has made applications and data more accessible for users and customers but, for the professionals doing the heavy lifting, the cloud has made work more complex. From DevOps who are developing and maintaining cloud environments, to developers pushing code to production without visibility and all the way to security people who need to protect a distributed architecture with thousands of assets and digital identities, the cloud has created new challenges.

This is also the case for compliance officers. Being responsible for compliance requires great attention to detail, a focus on process and an in-depth understanding of regulations and guidelines.

In the cloud, meeting these compliance requirements has become harder because cloud environments are very complex and made up of thousands of components and services that are globally dispersed and interconnected in diverse ways. The architecture itself is seldom entirely visible and is ever changing, making it even more laborious to identify compliance issues such as misconfigurations or poor access management.

In addition, being able to identify and alert about regulatory issues requires an understanding of how these convoluted cloud technologies were developed and how they perform. This skillset is lacking in today’s job market, making it hard for compliance officers to get the training, assistance and support they need when running audits, or reviewing processes and procedures.

The main challenge for compliance officers may, in fact, lie with the regulating bodies. Many compliance regulations were initially designed for on-premises environments. SOC 2, for example, began its history in the 1970s and was updated in the decades thereafter. Explaining the differences between cloud and on-premises to regulators is difficult due to the complexity of cloud infrastructure and lack of technological know-how by some compliance officers. Above all, the industry has no sufficient alternatives: there are not enough tools that can demonstrate how a cloud organisation is being compliant. Which brings us to the next point.

The on-premises compliance ecosystem is brimming with professionals, platforms, consultation services and online resources designed to help businesses and compliance officers navigate through the hefty requirements. But for the cloud, the number and scope of resources are not so abundant. 

CSPM (Cloud Security Posture Management) and other solutions, such as compliance for Kubernetes environments, are being developed to address this gap, but their market penetration is far and few. This is expected to change since the cloud is still relatively new. But regulators and auditors won’t wait until then, and compliance officers and professionals need to find another way to get help, today.

Finally, in the cloud, credentials are the number one attack vector so identity and access management (IAM) security needs to be addressed by compliance professionals when searching for regulation breaches and demonstrating compliance. But securing access and permissions, let alone reporting on it for audits, is not easy – and highlights the importance of navigating cloud security posture with deep discovery of identities and access. (Check out our recent blog on Navigating cloud security). Sidestepping understanding identity and access-based risk will provide a false view of your cloud security posture and true compliance status.

It wasn’t that easy before the cloud

Let’s be honest, being compliant wasn’t easy even before the cloud. Compliance regulations are not a step-by-step plan. Rather, they describe an ideal end-state, and it’s up to the business and the auditors to figure out how to demonstrate compliance.

In addition, compliance officers don’t always have a seat at the table and are often left out of strategic discussions on business decisions that affect compliance. As a result, they are left to execute with little influence.

These challenges do not disappear with cloud architecture. If anything, they are intensified due to the complexities described above.

Finding solutions for compliance

The burden of compliance falls on the shoulders of compliance officers and stakeholders. Here are our top three tips for what they should do: 

• Tip #1: Get guidance and help from external consultants

Get assistance from experts who have been around the block in building practical steps for demonstrating cloud compliance. Start at the drawing board, identifying what needs to be audited, proceed to how and then end with the actual audit and analysis of results. 

• Tip #2: Get the Organisation on board

You may be in charge of compliance but being compliant is in the organisation’s best interests. Legal and monetary ramifications could affect IPOs, M&As and the bottom line. Evangelise internally with leadership, security and engineering. Train them in compliance requirements so they can help you identify potential regulatory pitfalls and how to close the gap.

• Tip #3: Find technological cloud compliance tools that can help

We used to rage against the machine. Now we need machines to take away the tasks we hate so we’re free for more quality work. So, what is CSPM? A CSPM (Cloud Security Posture Management) tool uses automation and templates to identify how the cloud environment is implementing policies that correlate with compliance regulations. Some tools can also auto-remediate in case of deviations and help the organisation immediately improve its compliance posture. The bottom line: a good CSPM tool can make compliance easier.

CSPM and beyond: How to find the right tool

A high quality CSPM tool can relieve a lot of the compliance-related work from you while hardening the organisation’s compliance with all relevant industry regulations. 

An ideal solution will encompass the following capabilities:

• Broad and relevant regulation scope – Covers a broad range of security best practices, as well as leading industry and compliance standards. These include CIS, GDPR, HIPAA, ISO, NIST, PCI, SOC 2, CIS for Kubernetes and others. Make sure the regulations you need are included in the platform’s provided templates and policies.
• Compliance cloud correlation – Maps each standard to specific cloud configuration, cloud security and cloud activity policies while providing a clear inventory of compliance status per asset/account. 
• Continuous monitoring – Constantly checks the entire environment against the policies to ensure compliance and identify deviations and anomalies. The status of compliance should be visible to you and any stakeholder at any given point and without waiting for strenuous compliance audits. 
• Customisation – Allows you to create proprietary standards and policies on top of government regulations.
• Audit reports – Helps you demonstrate compliance to auditors through visibility and flexible reporting for all organisational levels (e.g., entire organisations, specific accounts, specific projects), allowing to generate compliance reports for internal and external auditors. Ideally, your CSPM solution is one that auditors know and trust.
• Automation – Monitors, identifies, alerts and auto-remediates misconfigurations. compliance teams are often strapped for resources and automation can help them focus.
• Identity-related and access management related detection – Includes monitoring and remediation of access management guidelines, with permissions-related monitoring, for the public cloud’s unique security needs and as required by various guidelines. This capability is offered by some CSPM vendors.

What’s next?

Achieving compliance in the cloud starts with translating compliance guidelines to the reality of cloud architecture. Understanding which cloud assets you have, the types of vulnerabilities they’re susceptible to and how these are related to auditing guidelines is essential for enabling the ongoing compliance work of monitoring, reporting and fixing. Once you have that mapping, you can proceed to automated monitoring based on compliance or customised policies. Finally, you can generate an automated report that helps demonstrate your compliance to auditors.

Platforms exist today that combine robust CSPM and other capabilities for automating these processes, bridging the technological and manual gaps that come with compliance audit – and preventing cloud data breaches that would adversely impact compliance and the entire organisation. These will free you up to focus on higher quality work like investigation, guiding the process and internal evangelism.

Read about Ermetic’s Identity-First Cloud Infrastructure Security solution which combines Cloud Infrastructure Entitlements Management (CIEM) and Cloud Security Posture Management (CSPM) in one unified platform here. You can also find out more about 4Data and Ermetic can help you with your cloud security challenges here or get in touch by email ian.tinney@4datasolutions.com.