The Quest for Compliance Automation
Compliance is becoming more important to companies every day. They are constantly working to raise privacy and security awareness, and gain control over their assets connected to the internet. Cloud and third-party tool adoptions are increasingly driven by security and compliance, arguably gaining a higher level of importance than cost and performance—even outside the traditional groups that value compliance and security-first environments, such as federal agencies and the healthcare sector. The quest for a product that can help companies maintain a fully compliant, monitored, and automatized infrastructure is arduous. This post will attempt to help you along in this difficult process by making a short checklist of the must-have features to look for.
Compliance and Security Automation
The commonly accepted definition of the word “compliance” in this context is adherence to a set of regulations and industry standards that cloud customers are required to comply with. In this era of increased privacy consciousness, cyber threats, security standards, regulations, and certifications, terms referring to these relatively new standards (e.g., HIPAA/HITECH, PCI-DSS, DFARs, FedRAMP, ISO 27001, and NIST-800) are the new normal.
Cloud Service Providers (or CSPs) like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure have put forth significant efforts in recent years to stay in compliance with major and relevant standards. Security teams and professionals are staying up-to-date with rules and auditing, but one of the biggest advantages of the cloud, elasticity, is increasingly challenging for security operations to deal with. Mutable infrastructure with autoscaling, auto-healing, ephemeral nodes, and the ability to distribute over multiple CSPs all add extra layers of complexity when one is implementing controls, checks, auditing, etc. that are needed to ensure proper compliance.
DevOps culture has also evolved rapidly in recent years, driving automation and orchestration adoption into all IT processes, reaching even the innovation-reluctant security departments. It is becoming standard practice for security teams to deal with these elastic and mutable platforms by using new tools to automate the inception of all security measures and controls. CSPs, in addition to certifying standards and compliance, are also providing automatable tools that simplify customers’ security-related tasks that they are responsible for in the Shared (Security) Responsibility Model.
For example, in AWS we can use the following tools:
- AWS CloudTrail: Logs all API calls made within the AWS Management Console, using the AWS CLI, the AWS SDKs, or other AWS services. Essential in case of auditing or access monitoring.
- AWS CloudWatch: Provides actionable metrics and logs, which are useful for firing alerts or automatically reacting in case of resource misuses or changes.
- Amazon Inspector: Automatic application security assessment for common vulnerabilities and deviations from best practices.
- AWS VPC Flow Logs: Provide information on network traffic going through a VPC network. Useful when running a perimeter assessment of internal private networks.
- AWS Config: Provides an instantaneous and detailed status report regarding configuration of AWS resources, as well as alerts on changes.
Scrolling through this list, you might notice the absences of a comprehensive console/interface and a remediation tool. This problem does not only apply to AWS—Azure and GCP lack these combined features, too.
Infrastructure automation (aka Infrastructure as Code) is essential to ensure that all resources that are deployed respect security standards. And this automation is even more important if we’re leveraging multiple CSPs since it can take care of applying the security configuration automatically while autoscaling, moving a workload between two or more CSPs, or just creating new storage buckets.
Automatic deployment of security measures is essential, but we can’t just rely on passive security since human errors and software bugs are always present. This reality makes continuous monitoring a necessity. No matter which cloud you are using, user activity audits, infrastructure status checks, internal networking, and external perimeter monitoring can’t be neglected.
For impartiality, let’s take a look at GCP Security monitoring tools:
- Cloud Identity-Aware Proxy: Monitors access to applications deployed inside Google Cloud Platform.
- Data Loss Prevention API: Helps prevent data leaks by automatically finding and redacting sensitive data that is streamed or stored.
- Stackdriver: Detects patterns related to DoS, brute-force attacks, or data exfiltration using metrics-based alerting capabilities.
- Cloud Security Scanner: Scans the applications running in Google App Engine for vulnerabilities.
Even within GCP, we’re still missing a centralized console for all of these tools from which the SOC team can get current “Security and Compliance” status, or just configure and organize checks for the different standards. To make sure we are in compliance, we have to rely on third-party tools.
Validation and Documentation
We have argued the need for security automation and continuous monitoring for better compliance, but we shouldn’t underestimate the importance of validating and documenting compliance. Some of you probably remember the message from the “Power is nothing without control” advertising campaign for Pirelli tires. “Diamonds are nothing without a certificate,” however, is not an advertisement: your partner will appreciate the present, but he or she will ask for the certificate later, just as you will be asked to provide a certificate from a recognized entity to your insurance company that states the value of your “jewel.”
The same idea applies to our infrastructure: all of the efforts made to ensure the platform’s compliance are fruitless if we cannot validate them with market leaders’ tools, or at least obtain a seal of approval from a reputable group. Compliance validation requires proof with documentation. Stakeholders need documentation—documents to show the authorities in case of auditing, to attach to more complex documents for legal requirements, to be further redacted for customers’ contract needs, and even to justify all of the money that was spent to stay in compliance.
Auditing and management are not the only driving factors for having our compliance validated and well-documented. Stories about data breaches, data leaks, exfiltrations, and even cryptocurrency robbery are appearing more frequently in the news. The risks are high these days. If you are unlucky enough to be a target of these attacks, your outcome will be better if you can prove that you made every effort and put in place all (and maybe additional) security measures required for your business. This is especially true on social media where the “trial” may not even start once compliance is demonstrated. All the effort that companies put into validation and documentation should be considered an investment, especially now, when companies are often called to defend themselves and the security precautions they put into place in court. Additionally, if you are continuously testing, monitoring, and validating, your chances of being the next big story in the news are reduced.
Unfortunately, validation and documentation are tasks that you are left to handle alone—CSPs just provide the documentation that validates their side of the Shared Responsibility Model. We have documents stating that Azure services are HIPAA compliant, but none stating that our infrastructure that is built with these services is compliant, too.
We previously highlighted a few things that are missing with the tools CSPs give us for security and compliance needs—a centralized tool with situational dashboards, automated checks, and remediation actions—but what other features does the tool you choose need to have? It goes without saying that reliability and multicloud support are mandatory, essential characteristics for any tool to have. Your compliance and security status will depend on the tool’s reliability; there is no room for errors or downtime. With the growing usage of hybrid architecture solutions, the ability to support multiple public clouds is another feature that cannot be overlooked. But there are many other factors to consider when choosing the best tool for your company.
Below is a list of features to use as a checklist:
1. Situation dashboards: Prompt visibility of the infrastructure’s current security status is reassuring when everything is going well, and a necessity in case of an incident.
2. Per compliance wizards, policies, and procedures: It’s important to have a guided setup through all the checks and monitoring necessary for a specific compliance set, as well as a predefined set of policies and procedures. Rules and services are constantly evolving and having a solid base to start from is handy.
3. Automatic security and compliance checks: Once you have configured everything you need, it’s important to monitor everything constantly—you even need to evaluate the number of predefined checks.
4. Firewalling and perimeter monitoring: Part of the automated tasks should comprehend perimeter assessment using CSP tools or others, if needed. Access management and control are needed at the network layer, too.
5. Resource access policies and user management: When a service cannot be contained at the network level, your tools must ensure that you are always operating following the principle of least privilege. User access and monitoring should also be managed by your tool—we need to know which user was accessing what data at any given time.
6. Actionable information/Automatic remediation: Knowing you’re not compliant is useful, but it’s even better to have a feature that fixes the flaw automatically.
7. Log analysis: Your tool should be able to analyze any kind of logs that your CSP can generate, in addition to third-party logs to further improve your analysis capabilities.
8. Constant inventory and monitoring: You always need to know which components are running in your infrastructure, how they are performing, and what their security and compliance status is.
9. Continuous auditing and reporting: Your tool should be constantly auditing the entire infrastructure and its users, ready to produce reports on a specific service at any given moment. It should also be able to produce all of the documents that are pertinent to your global compliance status referring to a specific standard or rule.
10. Compliance benchmarks: It is always useful to see your score versus a given standard and to monitor your improvements over time.
This checklist can be a useful guide to follow when you are looking for the tool that best suits your company’s needs. Ideally, you should determine the value of each item in the list before searching for a product, setting the global threshold and the sum of points that will determine which tool/s make the cut.
Here at CloudCheckr, we’re sure we can reach a high score based on this checklist. We are especially confident in the quality of our product because of our recent partnership with Allgress, which allowed us to add compliance controls mapping to our repertoire; this added feature helps our customers reduce the complexity of and time spent on achieving complex compliances such as Sarbanes Oxley (SOX), HIPAA, and FISMA. Allgress also made their Allgress Regulatory Product Mapping (RPM) Tool available for free to let companies filter by security vendor and check which security controls are met by a particular vendor. The more software-specific controls a vendor meets, the higher level of accountability and overall control of your environment you’ll have. With this RPM tool, our platform scores high with 450+ best practices and controls for AWS alone.
Supporting multicloud with top-notch features is not the only benefit of working with CloudCheckr—we can also help you with spending. Our Cost and Expense Management module guides you in properly sizing the infrastructure and analyzing costs, helping you save money that you can use to invest in improving your company’s security.