5 Elements of Effective Cloud Compliance

As the world adopts cloud-based technologies, whether as a consumer or a business, a number of threats and risks must be addressed in order for cloud adoption and all of its associated benefits to be realized. Cloud compliance can protect us from vulnerabilities that could expose private and protected information while we take advantage of the cloud's benefits.

‍

What exactly is Cloud Compliance?

Cloud compliance is a set of systematic operations that ensure a business is run in a compliant manner while also protecting an organization's resources, whether they are network, compute, or storage. Cloud compliance refers to a wide range of regulations and best practices that organizations are expected to follow when using cloud-based systems and services.

The International Organization for Standardization (ISO) is a well-established entity that defines the majority of cloud-related standard operating procedures and regulations. There are numerous regulations with which an organization must comply. 

The following are some of the most frequently cited:

• FISMA
• HIPAA
• PCI
• DSS
• GDPR
• SoX
• FedRAMP

A foundational layer of compliance that is set to operate in accordance with regulatory and risk management aspects is required for successful cloud adoption. The foundation of such an ecosystem is a collaborative model of technology, process, and people.

Compliance is defined as a set of policies or rules that continuously consume machine state data, analyze risks, and report on vulnerabilities.

Setting up a dedicated organization charged with implementing cloud compliance standards can help to influence the business and engineering communities to adopt best practices for effectively leveraging cloud computing.

‍

Cloud Compliance Framework Elements

A well-rounded cloud compliance framework is comprised of five components:

1. Service evaluation and vulnerability analysis
2. Gathering machine data and events
3. Creating controls and policies
4. Processing machine events in accordance with policies
5. Identifying non-compliance and taking corrective action

The majority of cloud service providers support a mechanism for sharing machine events as a stream or as consumable APIs. Once machine events are available, it is time to apply rules on top to check for compliance. This process must process a large volume of machine events while being time sensitive. It necessitates a high-performance platform that can be relied on to avoid failures or errors in evaluation with up to 99.9999% accuracy, availability, and uptime 24 hours a day, seven days a week.

There are numerous established patterns for dividing and conquering such massive volumes of machine events at high speeds. It is also critical to establish safeguards to ensure that even the most granular change to any cloud resource is considered in the context of its ecosystem, such as account, VPC, and IAM, rather than just the event itself in isolation.

As engineers and product owners begin to use newer cloud-based tools and services, the challenge will be to ensure that they are prepared to implement controls or policies that will allow the engineers to use the tool efficiently and responsibly.

This implies that cloud governance has established a strong relationship and partnership with cloud compliance, cloud providers, regulators, cyber, and audit groups, who can collectively look ahead to a set of new cloud capabilities that can be adopted into the organization while identifying what vulnerabilities it would possess or pose by integrating into existing resources and applications.

The five elements listed below are critical to successfully implementing a holistic cloud compliance strategy that provides visibility and protection for an organization.

1. Service Evaluation and Vulnerability Analysis

To stay competitive and provide differentiated value to their customers, cloud providers frequently release new capabilities and services. Furthermore, cloud providers evolve, deprecating existing APIs and services. However, as a consumer, it is critical to evaluate new services as they are released, as well as existing services on a regular basis for changes. These assessments (service assessments) are designed to detect vulnerabilities in the native service.

The scope of this assessment will also include the design and implementation of these cloud-native services specific to your organization, as well as best practices for your organization.

To evaluate various aspects of new and existing cloud-native services, service assessments require strong cloud architects, risk and compliance subject matter experts (SMEs), engineers, and product owners to collaborate. Following the assessment, a report is distributed that clearly describes the risk (if any), recommends a set of controls to be implemented prior to broader adoption, and recommends the collection of service usage reports and service compliance reports to be reviewed on a regular basis to address risks associated with such a service adoption.

To ensure that these assessments are conducted objectively, an independent group or department, such as Cyber, is chartered to manage and report on them.

‍

2. Machine Data and Machine Events Are Being Collected

Identifying vulnerabilities is a time-sensitive opportunity with diminishing returns as time passes. However, in many cases, the window of opportunity to respond is much larger, allowing cloud compliance platforms to leverage a wide range of data sources. 

In general, machine data has three main options:

• Native cloud resources (ex. CloudTrial)
• Resources based on tools (ex. ServiceNow)
• Direct resources (ex. APIs)

Direct resources via APIs are typically the quickest and easiest to process, but they become costly as the volume of API calls increases. The cost of processing all machine data as API events will necessitate massive and resilient compliance platforms. There must be a balance between processing real-time events and batching data for vulnerability evaluation.

The collection of machine data, as well as the classification and categorization of data based on resource type, criticality/risk, or vulnerability, which will aid in the distribution of processing, is critical. A key differentiator could be to create an always-available and democratized data layer that multiple lines of business or departments can use to build custom algorithms to identify risk.

As data becomes more democratized across the organization, it is critical to have clear disclosures associated with each data stream or lake. These disclosures include the data's age, source, signatures, and risk category.

Furthermore, as the cloud footprint expands, it will become necessary to create a group or department solely dedicated to managing the data layer of machine events. Many organizations with large cloud footprints also provide learning platforms based on machine data to help build intelligence on top of applying policies or rules that can begin to bring risk predictability.

‍

3. Creating Policies and Controls

It's difficult to predict how quickly the dark web learns to exploit resource-based vulnerabilities against organizations or how quickly organizations learn to develop policies and rules that protect against such vulnerabilities. It all comes down to the length of the learning curve.

Cloud SMEs play a critical role in evaluating new cloud service offerings from cloud providers, not just broadly, but deeply in the context of how a business wants to leverage new cloud-based resources or products. In most cases, assessments are led by a group of SMEs who understand risk (technical, financial, and operational) and collaborate to score a specific cloud-based tool or resource.

The risk score is then generated, expressing the criticality as Low/Medium/High/Critical. These assessments are not done on a regular basis, but as a standard procedure throughout the year, and include re-evaluations of existing services to ensure changes to service APIs or deprecations.

Much work remains to be done to determine how these policies are released based on the number of cloud accounts that must be provisioned.

As an example:

• Is it to be done all at once or gradually?
• How many applications will be impacted by the implementation of these policies?
• Is the rate of product development affected by such a release, and do the policies include actions that vary depending on the environment?

It is clear that the release management aspects of these policies have the potential to positively and negatively influence and affect the much larger organization. However, it would be more secure in the short term because these policies would limit the number of patterns in which cloud-based resources or services are leveraged, designed, and integrated with business products.

As a result, the application teams would have to do more work to retroactively modify existing and live applications and/or make changes to upcoming designs and implementations.

End user impact analysis is a necessary component of policy development that aims to reduce the impact of policies by automating remediation on behalf of application teams. This, however, will necessitate a trustworthy relationship between application teams and cloud compliance organizations. In some cases, cloud compliance teams will lack complete visibility into the rationale or implications of a specific design of a component that uses a cloud resource. In such cases, it is best to report noncompliance as a notification and give application teams a window to own the remediation.

To fully understand the impact on end users or applications, it is necessary to be able to create test scenarios in which resources are created, evaluated, and remediation actions are all recorded and further analyzed to clearly identify the impacts that the release policies would cause. This aspect of controls testing or policy testing is a bit of a puzzle and can be time-consuming, but it is also very rewarding.

‍

4. Processing Machine Events in Accordance With Policies

Controls (or policies) are created in the following ways:

• Detective controls,
• Corrective controls, and
• Preventive controls

However, preventative controls are the most effective way to ensure compliance, to begin with, but they are also the most difficult to implement. Cloud compliance solutions are specifically designed to address each of the controls listed above. Controls are either batch (near real-time) or event-based, as well as API based. The objective here is to get as close to the event as possible.

The simplest source for machine events is CloudTrial data or any other cloud-native log, but it is important to note that cloud-native logs also have a delay between the actual event and the time it makes that event available in the log.

Controls are made up of one to many policies that are applied to various machine events that originate in different regions, environments, and data classifications. Policies are rules that compare machine data to a set of conditions with a boolean result. This means that a resource can only be compliant or non-compliant within the context of a control objective.

The outcome is determined by a variety of simple to complex sets of rules that evaluate machine events from multiple data, identity, access, and visibility perspectives. As a result of the evaluation and inference process, non-compliance resources will be identified, visibility will be enabled through various notification channels, and a pattern-based remediation will be suggested.

‍

5. Identifying Non-compliance and Taking Corrective Action

All types of controls are required to have one or more methods of reporting on the state of compliance. These reports can then be commoditized and customized, grouped, and distributed via various channels such as email notifications, compliance dashboards, operational reports, and risk state data. As an organization's cloud footprint expands, the set of machine events may expand significantly, making reports more complex and difficult to interpret.

The majority of the emphasis would be on producing reports that clearly show noncompliance by risk category, such as regulatory, operational, or security. Non-compliance can also be listed by resource type and criticality as high, medium, or low in these reports. Dashboards for divisions and lines of business (LoBs) are useful for driving prioritization conversations with LoBs and executive decisions, encouraging business and technology groups to collaborate on risk management and risk remediation.

Certain channels for reporting noncompliance, such as email notifications and Slack notifications, gradually become ineffective as volumes increase day by day. It is also difficult for developers to monitor every notification that comes their way and aid in quick remediation. Product owners and product managers with experience driving user empathy-based feature development, carving out effective and outcome-driven notifications that are self-intuitive, are required to create policies that provide these notifications.

These notifications must be accompanied by clear remediation steps, expressed as instructions that will assist end users in performing remediation in a more timely and consistent manner. Compliance solutions can take it a step further by assigning incident tickets to application teams with predefined remediation windows and support for automated escalation processes.

‍

Every Developer Is Responsible for Cloud Compliance

Groups from technology, architecture, operations, risk, regulatory compliance, and governance are collaborating to establish, manage, and socialize security standards, provide ongoing support and guidance, and create a transparent process for new service adoption. As a result, the organization has a collaborative and supported compliance approach with clear intent, roles, and responsibilities.

Compliance must play an important role as organizations migrate to the cloud. Defining a cloud compliance framework within an organization will require maturity and the ability to balance roles, responsibilities, and accountability. The standards outlined in this post, on the other hand, should be useful in successfully implementing and managing an effective cloud compliance program. Cloud compliance as a practice will become a fully operational entity for every consumer as this domain evolves further over time and with continued innovation.

Need help implementing Cloud best practices? Contact us today for a free consultation.