Compliance is not solely the domain of internal audit or privacy groups, or whatever other groups may have historically owned it. In this post-cloud world, with abstracted managed services from cloud service providers (CSPs), the barriers between privacy, security (or info sec), and compliance have blended. And not just between those groups but also with IT. And, to complicate things further and necessitate more change in the way organizations view and operate their compliance programs, even within IT the barriers have been broken down and the cloud has enabled software developers to configure and deploy infrastructure without system admins or DBAs and, in many cases, without the explicit sign-off of security. In this brave new world of compliance on the cloud, operating compliance as a team sport is essential.
The cloud turns developers into admins
Managed services on the cloud, such as database-as-a-service (DBaaS), make it simple for software developers to deploy and scale their own infrastructure. Using web UIs or basic command line tooling and APIs, these managed services expose infrastructure pre-built for developers to use. The underlying layers of the technology stack have been abstracted away from users.
The setup of these services does not require a Linux or Windows admin and, as such, developers can now easily circumvent the process by setting up their own cloud services. Using the above referenced UIs, developers are essentially configuring parts of the underlying operating system, software packages, and networking. These configurations, if not set properly, can violate the policies of an organization and expose data to unauthorized access.
The operator construct must have security as a pillar
While empowering developers to directly interact with and manage their own infrastructure, the cloud does not remove the need for operations, it just changes the role and specific functions required of them. Managing large-scale cloud deployments required dedicated operators, not just developers. Setting up and managing development pipelines to the cloud similarly is the purview of operations and not developers. There are other examples of the new role DevOps plays on the cloud.
One area that is sometimes missed, but is becoming its own dedicated area, is SecDevOps, or security-focused DevOps. Security needs to be a core part of the function of DevOps on the cloud, whether for cloud workloads managed by operations or for simpler cloud workloads managed directly by developers. Operations groups need to work with compliance (see below) to translate existing policy and procedure requirements for the cloud to ensure whatever groups and individuals are managing cloud workloads are not exposing an entity to risk.
Compliance must inform the security posture operators enforce
Policies and procedures should be developed by compliance with input from privacy. Typically, the challenge we see on the cloud is the translation of these often static policies into more dynamic procedures and cloud configurations to meet the needs of IT to leverage new cloud services. This translation process is exceptionally difficult because it’s a continual process to map compliance policies to new and emerging cloud services and configuration options. Compliance needs to work with operations, DevOps, or SecDevOps, to ensure the proper translation is created and maintained.
Internal audit and compliance must have visibility into cloud configs
Once approved cloud configurations have been established, visibility into deployed cloud workloads and actual configurations is required to ensure identification and remediation of gaps. Given the dynamic nature of the cloud and cloud services, gaps will emerge, necessitating near real-time visibility into the compliance posture of the cloud. The key to managing an effective compliance program on the cloud is transparency into cloud inventory (workloads, services, environments, etc) and, ideally, proactive identification of gaps between approved cloud service configurations/states and actual cloud service configurations/states. The first step to remediate gaps is to identify them.
Education and alignment top to bottom is necessary
Compliance on the cloud is new but it is emerging, along with cybersecurity, as a top challenge for all organizations. The change now is that the only way to create and maintain a successful cloud compliance program is to align resources across multiple groups within an organization. From policy to cloud configurations to reporting and visibility, groups need to work together like links in a chain.
In many ways, compliance on the cloud is like an assembly line. Compliance, with input from privacy, designs the process, works with security and IT to implement it on the cloud, and creates real-time reporting to measure the outputs of the process. The only way for this to work is to operate as a team with a common goal — protect data and digital assets while enabling organizations to build the technology to continue to compete.