Compliance in your cloud environment
We know that CSPs will often publish their compliance accreditation and certifications online in trust center section of their website. It is important that all cloud customers review these capabilities and know their own responsibilities. These obligations vary by CSP and whether the service they consume is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or SaaS.
In order to successfully meet your security requirements and compliance obligations you must define and implement appropriate technical and administrative controls that map to and meet these requirements. For each control, identify the control owner and performer, define how the control should operate and what makes it effective, and lastly what evidence is needed to show that it is operating effectively. Evidence might be in the form of a report generated by a scanner or other tool that automatically interrogates your environment and continuously collects data showing that the controls are running as intended.
Continuous compliance automation
Automation and tooling can help scale compliance efforts and reduce control failures. Security controls in a cloud environment may behave differently than their on-premises analogs so look for controls that work effectively in your specific CSP environment. Some examples:
- Configuration Management: To ensure your devices are configured correctly first create a security baseline that defines how a device should be configured. Then choose a scanning tool or application that you can that you can use to scan your environment against this baseline. Some tools can scan against popular standards like Open Web Application Security Project (OWASP) or the Center for Internet Security (CIS) benchmarks and include specifics for cloud environments, like the proper configuration of your CSP.
- Vulnerability Scanning: When choosing a vulnerability scanning tool be sure it’s compatible with your other deployed technologies. For example, if you use Kubernetes be sure your scanner recognizes and can scan containers and can audit your Kubernetes deployment for signs of misconfiguration.
- Authorization: Define and enumerate all the roles of your users and operators and what rights they have been granted. Look for over privileged access across your entire cloud infrastructure. Don’t forget to audit your cloud subscription and container management consoles- if an attacker gets access to these, they can wreak havoc on huge sections of your environment.
- Authentication: Audit for appropriate identity and access management vulnerabilities, such as detecting when root access occurs, whether multifactor authentication is being used, and to enforce password policies.
- Secrets Management: Ensure appropriate secrets management for your cloud subscription. Consider scanning for secrets in source code and taking advantage of your CSP key management services and tooling.
- Cloud Service Provider Security tooling: Most CSPs provide services or utilities specifically intended for use by their customers to help ensure their own cloud subscription configuration is appropriately secure. In many cases, compliance auditors familiar with CSP offerings will look to see that you are using these extensions because they often are proven most effective for that situation. Make sure you understand these offerings and choose which make the most sense to leverage for your own needs- for example, turning on Microsoft Azure’s Security Center or ingesting Amazon Web Services CloudTrail logs into your own security event logging control.
- Cloud specific technologies: Cloud service providers offer a dizzying array of services and it’s important to enroll all that you choose to use into your own compliance program.
Demonstrating cloud compliance takes time and diligence, especially with the myriad of security and compliance standards that your own organization may be subject too. A solid GRC program will help streamline your audits and the right tooling and automation will make evidence collection much easier and less prone to errors. Also, look for cloud-aware tooling that you can setup as controls to identify security vulnerabilities and noncompliance. Lastly, it’s critically important to understand your dependencies on others and ensure that these dependencies do not introduce unacceptable risks to your own organization. Source
iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.