In our previous blog on compliance security, we looked at the importance of an organizations’ security approach and how to effectively build requirements that meet cloud compliance security demands. Among the many ways to carry this out, adhering to the right security controls is an effective way to ensure compliance needs are met. Security teams must have continuous visibility and understanding of how these controls are performing, and they must employ a strategy for ensuring controls are updated as necessary to meet changing access and run-time needs.
Compliance in your cloud environment
We know that CSPs will often publish their compliance accreditation and certifications online in trust center section of their website. It is important that all cloud customers review these capabilities and know their own responsibilities. These obligations vary by CSP and whether the service they consume is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or SaaS.
Auditors are beginning to better understand these dependencies between different cloud providers and customers and it’s important to know your place and role in the larger system.
In order to successfully meet your security requirements and compliance obligations you must define and implement appropriate technical and administrative controls that map to and meet these requirements. For each control, identify the control owner and performer, define how the control should operate and what makes it effective, and lastly what evidence is needed to show that it is operating effectively. Evidence might be in the form of a report generated by a scanner or other tool that automatically interrogates your environment and continuously collects data showing that the controls are running as intended.
Breaking down compliance requirements
As an example, a security requirement might stipulate that security updates must be applied within 30 days of release. To meet this requirement, you might implement a vulnerability scanner as a new detective control that you have configured to scan your environment daily for known vulnerabilities. With this security control in place you could demonstrate the effectiveness your patching process (which is also a control) by regularly reviewing what percentage of your environment is fully patched, and how many devices have patchable vulnerabilities older than 30 days and therefore out of compliance. Using technology to automate repeatable, quantitative assessments is helpful to show trends and, ideally, improve control effectiveness over time.
Continuous compliance automation
Automation and tooling can help scale compliance efforts and reduce control failures. Security controls in a cloud environment may behave differently than their on-premises analogs so look for controls that work effectively in your specific CSP environment. Some examples:
- Configuration Management: To ensure your devices are configured correctly first create a security baseline that defines how a device should be configured. Then choose a scanning tool or application that you can that you can use to scan your environment against this baseline. Some tools can scan against popular standards like Open Web Application Security Project (OWASP) or the Center for Internet Security (CIS) benchmarks and include specifics for cloud environments, like the proper configuration of your CSP.
- Vulnerability Scanning: When choosing a vulnerability scanning tool be sure it’s compatible with your other deployed technologies. For example, if you use Kubernetes be sure your scanner recognizes and can scan containers and can audit your Kubernetes deployment for signs of misconfiguration.
- Authorization: Define and enumerate all the roles of your users and operators and what rights they have been granted. Look for over privileged access across your entire cloud infrastructure. Don’t forget to audit your cloud subscription and container management consoles- if an attacker gets access to these, they can wreak havoc on huge sections of your environment.
- Authentication: Audit for appropriate identity and access management vulnerabilities, such as detecting when root access occurs, whether multifactor authentication is being used, and to enforce password policies.
- Secrets Management: Ensure appropriate secrets management for your cloud subscription. Consider scanning for secrets in source code and taking advantage of your CSP key management services and tooling.
- Cloud Service Provider Security tooling: Most CSPs provide services or utilities specifically intended for use by their customers to help ensure their own cloud subscription configuration is appropriately secure. In many cases, compliance auditors familiar with CSP offerings will look to see that you are using these extensions because they often are proven most effective for that situation. Make sure you understand these offerings and choose which make the most sense to leverage for your own needs- for example, turning on Microsoft Azure’s Security Center or ingesting Amazon Web Services CloudTrail logs into your own security event logging control.
- Cloud specific technologies: Cloud service providers offer a dizzying array of services and it’s important to enroll all that you choose to use into your own compliance program.
Demonstrating cloud compliance takes time and diligence, especially with the myriad of security and compliance standards that your own organization may be subject too. A solid GRC program will help streamline your audits and the right tooling and automation will make evidence collection much easier and less prone to errors. Also, look for cloud-aware tooling that you can setup as controls to identify security vulnerabilities and noncompliance. Lastly, it’s critically important to understand your dependencies on others and ensure that these dependencies do not introduce unacceptable risks to your own organization.