2017 has been a tough year for data breaches and privacy violations. Government regulations (HIPAA for healthcare, NERC-CIP for energy, EU GDPR, etc) and industry standards (PCI) have tried to reverse this alarming trend, with more restrictive mandates and financial penalties that can no longer be classified as “the cost of doing business”.
Certification benchmarks (CIS control and benchmark) are also trying to help by offering guidance on best practices and and helping organizations evaluate and demonstrate their security posture.
The scramble to bring existing compliance and certification regimes into the cloud age will continue even as new regulations, like FedRamp, emerge specifically for the cloud. FedRamp is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRamp notwithstanding, most regulations and compliance mandates still aren’t cloud ready. Businesses struggle to comply when security responsibilities for business applications are shared between the company, its cloud providers (AWS, Azure, co-locations) and 3rd parties that are part of the cloud environment.
So what is a responsible security and compliance professional to do? As a first step, think about the spirit, not the letter, of privacy and security regulations. Most regulations are based on these four foundational principles:
- Know your data: where it is stored and how it is processed (especially for regulated data);
- Control access: apply a “least privilege” principle and grant access on a “need to know” basis (and track who has access to what);
- Track and log everything: produce reports that demonstrate compliance. Sometimes the requirement is to produce them monthly (FedRAMP), not just yearly or at time of audit;
- Notify when breached: 72 hours seems to become the standard across regulations that have recently been issued or updated (EU GDPR, 23 NYCRR 500). Get ready to investigate incidents, and ensure that you have as much information at hand to manage breach disclosure.
Here’s where things get sticky. The cloud, however, is far more complex and ephemeral than a traditional data center: it changes on a dime, entities come and go, and tools for compliance are in short supply. Even FedRAMP, which was designed for the cloud, drives significant overhead. Organizations have told us that they devote half of a full-time staffer to manually collecting required information for their monthly FedRAMP report. Understaffed security teams just don’t have proper visibility into what’s deployed in cloud environments, who accesses it, how often it changes and who makes the changes.
Why? Legacy compliance solutions were built to match what conventional security tools tracked: ports and IP addresses. In the cloud, network resources are no longer static – they are continuously recycled and they no longer provide much insight into actual cloud behavior and data access.
Lacework gives you a head-start on cloud compliance by solving the cloud visibility problem. Our solution delivers unprecedented visibility into everything that’s running in your cloud, in one place, capturing much of the basic data you need for compliance. Here’s how it works:
- Discover: Lacework automatically finds all entities deployed (apps, processes, workloads, VMs, containers, machines and users), removing the need to manually identify these at any point of time. If your cloud infrastructure is like most, it has hundreds of VMs that change all the time. Lacework is a real time saver.
- Categorize: At scale, a cloud infrastructure can have hundreds of discrete entities performing exactly the same task. Load balancers, for example, send tasks to multiple identical servers to reduce latency and enhance the user experience. By aggregating similar entities, Lacework reveals the true structure of your cloud implementation.
- Characterize: Lacework provides complete visibility into how entities interact and behave. This lets you rapidly identify otherwise hidden dependencies and validate whether they are authorized.
- Baseline: Lacework analyzes entities and their behaviors to build a logical baseline for your cloud environment. This reference point reveals the normal activity in your cloud.
- Changes: Lacework flags any deviation from the baseline, making it easier and faster to detect anomalous behaviors that could jeopardize compliance.