October 26, 2018

Compliance is a Team Sport

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

Compliance is not solely the domain of internal audit or privacy groups, or whatever other groups may have historically owned it. In this post-cloud world, with abstracted managed services from cloud service providers (CSPs), the barriers between privacy, security (or info sec), and compliance have blended. And not just between those groups but also with IT. And, to complicate things further and necessitate more change in the way organizations view and operate their compliance programs, even within IT the barriers have been broken down and the cloud has enabled software developers to configure and deploy infrastructure without system admins or DBAs and, in many cases, without the explicit sign-off of security. In this brave new world of compliance on the cloud, operating compliance as a team sport is essential.

The cloud turns developers into admins

Managed services on the cloud, such as database-as-a-service (DBaaS), make it simple for software developers to deploy and scale their own infrastructure. Using web UIs or basic command line tooling and APIs, these managed services expose infrastructure pre-built for developers to use. The underlying layers of the technology stack have been abstracted away from users.

The setup of these services does not require a Linux or Windows admin and, as such, developers can now easily circumvent the process by setting up their own cloud services. Using the above referenced UIs, developers are essentially configuring parts of the underlying operating system, software packages, and networking. These configurations, if not set properly, can violate the policies of an organization and expose data to unauthorized access.

The operator construct must have security as a pillar

While empowering developers to directly interact with and manage their own infrastructure, the cloud does not remove the need for operations, it just changes the role and specific functions required of them. Managing large-scale cloud deployments required dedicated operators, not just developers. Setting up and managing development pipelines to the cloud similarly is the purview of operations and not developers. There are other examples of the new role DevOps plays on the cloud.

One area that is sometimes missed, but is becoming its own dedicated area, is SecDevOps, or security-focused DevOps. Security needs to be a core part of the function of DevOps on the cloud, whether for cloud workloads managed by operations or for simpler cloud workloads managed directly by developers. Operations groups need to work with compliance (see below) to translate existing policy and procedure requirements for the cloud to ensure whatever groups and individuals are managing cloud workloads are not exposing an entity to risk.

Compliance must inform the security posture operators enforce

Policies and procedures should be developed by compliance with input from privacy. Typically, the challenge we see on the cloud is the translation of these often static policies into more dynamic procedures and cloud configurations to meet the needs of IT to leverage new cloud services. This translation process is exceptionally difficult because it’s a continual process to map compliance policies to new and emerging cloud services and configuration options. Compliance needs to work with operations, DevOps, or SecDevOps, to ensure the proper translation is created and maintained.

Internal audit and compliance must have visibility into cloud configs

Once approved cloud configurations have been established, visibility into deployed cloud workloads and actual configurations is required to ensure identification and remediation of gaps. Given the dynamic nature of the cloud and cloud services, gaps will emerge, necessitating near real-time visibility into the compliance posture of the cloud. The key to managing an effective compliance program on the cloud is transparency into cloud inventory (workloads, services, environments, etc) and, ideally, proactive identification of gaps between approved cloud service configurations/states and actual cloud service configurations/states. The first step to remediate gaps is to identify them.

Education and alignment top to bottom is necessary

Compliance on the cloud is new but it is emerging, along with cybersecurity, as a top challenge for all organizations. The change now is that the only way to create and maintain a successful cloud compliance program is to align resources across multiple groups within an organization. From policy to cloud configurations to reporting and visibility, groups need to work together like links in a chain.

In many ways, compliance on the cloud is like an assembly line. Compliance, with input from privacy, designs the process, works with security and IT to implement it on the cloud, and creates real-time reporting to measure the outputs of the process. The only way for this to work is to operate as a team with a common goal — protect data and digital assets while enabling organizations to build the technology to continue to compete.

tag Compliance

Related

Configuring Popular Managed Database Services To Comply with HITRUST CSF

Ryan Rich

Chief Product Officer

Whether you’re a Datica customer or not, you can take these new configuration guides, implement them across your fleet of cloud services, and have an audit-ready environment without paying a dime.

event-note October 4, 2018

Announcing the Future of Cloud Compliance: The Datica Cloud Compliance Management System

Ryan Rich

Chief Product Officer

We're pleased to announce the Datica CCMS — our latest and most flexible product that has an eye on the future.

event-note October 3, 2018

What Really Is Compliance? The Answer has Evolved

Kris Gösser

Chief Marketing Officer

On Wednesday, September 26th, Datica will host a webinar that will dive into the topic of how healthcare compliance has evolved in the cloud era.

event-note September 25, 2018

We wrote a book! Complete Cloud Compliance explains global compliance on the cloud

Kris Gösser

Chief Marketing Officer

We wrote a book! Complete Cloud Compliance explains how Datica sees the future of global compliance on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

event-note September 12, 2018