I was doing some compliance research recently and came across the following statistic from the Veritas Truth in Cloud Study:
"76% of organizations believe that their cloud service providers take care of all data privacy and compliance regulations.”
Once I had a chance to collect my jaw from the floor, I began to write this blog post.
According to the Shared Responsibility Model, the customer (you) are responsible for ensuring the security, privacy and compliance of your workloads and data in the cloud.
For this post, let’s zero in on compliance.
There are more compliance frameworks than I can count on two hands, and depending on your industry, it’s mandatory to comply with one or more of them. Here’s a small handful for example:
Become intimately familiar with the frameworks that apply to your business as a prerequisite. From there, you can start tackling roles and responsibilities within your organization.
Cloud Security and Compliance Is a Team Sport
We hosted a webinar on this very topic back in October, but I think it’s important to reiterate some of the key players and their responsibilities around ensuring compliance.
EVERYONE plays a role.
I like to categorize in three different buckets:
And we can drill down even further. Let’s look at the roles and priorities of three key players and the variance based on your organization’s level of cloud maturity.
Adopt Phase | Expand Phase | Scale Phase | |
SecOps | Adapting policies Exploring tools |
Automating security monitoring & assessment for full visibility | Automating enforcement of policy |
DevOps | Adopting a security-first approach Learning what is available from CSPs |
Developing processes to ensure best practices are followed | Automating workflows to validate configuration BEFORE deployment |
Compliance | Learning plans and impact of deployments Understanding what is inherited from CSPs
|
Performing periodic measurement to identify gaps in compliance | Compliance scorecard by month, week or day |
Figure 1: Cloud maturity levels
The Underlying Contention Between Teams
It’s arrived: the dreaded compliance audit. As if SecOps and DevOps aren’t busy enough with IR, now they must shift focus and pile on a ton of work to help the compliance team ensure a passing score for a security audit – a typically manual process that requires significant time and resources and causes hefty delays for their priority initiatives, apart from compliance. Herein lies the problem.
The good news is that automation can help reduce this contention and unite these teams for the greater good: continuous compliance.
Security by Design - Automating Policy Enforcement
According to the RightScale 2018 Cloud Security Report, 42% of organizations are focused on automating policies for governance. This is good news. Even better, compliance requirements can be fulfilled in the cloud with the right strategy, tools and governance – rooted in automation.
Automating policy enforcement is hugely beneficial. It helps ensure visibility of policies across clouds and the larger organization, and propels innovation through confidence that critical policies and standards are always being upheld. Here are some points to keep in mind as you build your strategy and execution:
Maintaining compliance as requirements increase and expand in scope can be challenging. Palo Alto Networks RedLock security and compliance service continuously monitors all cloud resources for potential compliance violations and provides customizable one-click compliance reports. Click-through controls resolve issues quickly in the face of ever-changing configurations and development requirements.
Want to learn more? Check out our on-demand webinar: 12 AWS Best Practices to Get You #CloudFit
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.