Virtualization Technology News and Information
How to Achieve Compliance in the Cloud

By Eric Kedrosky

Powerful identity and access (IAM) models in AWS, Azure, and GCP, enable the deployment of applications and data with far greater protection than what is possible in traditional data centers. However, the tradeoff is these solutions are not without risk when used incorrectly - and the risk is different than what was present in old-world enterprise environments. One area deserving call out is cloud compliance. Cloud native compliance holds different challenges, strategies, and solutions. Let's review some below.

Regardless of whether you call them microservices, micro-frontends, or a 12-factor app, "cloud native" is the current best paradigm for developing applications to take advantage of the latest trends in technology. However, because of this, traditional approaches to maintaining compliance simply do not work when applied to a cloud-native application deployment or the underlying infrastructure. This is because a lot of traditional approaches to security and compliance often depend on physically knowing where things are deployed,  network security monitoring, and perimeter access controls like VPNs. Resources and data in the cloud are dynamic and cloud-native apps are growing exponentially, making it very hard to track who is calling what service, and what is accessing your data.

5 Tips for Compliance

Group and Label Application Assets.

Organizations have all experienced a significant increase in the number of VMs in their infrastructure once they enabled virtualization to increase server density. There are exponentially more instances of cloud-native apps running inside containers, and some of them have lifetimes that are measured in minutes. Because of the dynamic and ephemeral nature of cloud-native infrastructure, it is extremely important to group application assets together as best as possible, and have consistent labeling.

An example of grouping is an application with all of its assets in a single resource group in Microsoft Azure, or a single project in Google Cloud Platform. Consistent labeling is extremely important for tying them together. Extending consistent labeling is vital to providing full visibility and traceability of all parts of an application and the infrastructure it has provisioned. This extends from cloud infrastructure components to groups and roles, to artifacts that are produced by the CI/CD pipeline.

In addition to the application components, proper labeling allows an organization to quickly identify all data stores that are involved with each app; which allows for taxonomy and data compliance processes to track its movements and systems with which it interacts.

Defining the strategy and specific taxonomy for the labels that will be applied requires the involvement of any existing security and compliance organizations within the company. They will provide insight into how things are currently tracked and categorized and will be a solid checkpoint to ensure the new cloud labeling will go beyond the basic needs of the DevOps and SRE teams.

Implement Continuous Monitoring

You need continuous monitoring in two different realms. The first, is among data and identity. You should have insight into where your data lives at any given time, and know who and what is accessing it through activity logs. Connect the dots between your identity inventory and data activity.

Second, you need general insight into your cloud footprint, and ‘always on' asset scanning. Traditional vulnerability management and scanners were periodic - this doesn't work in the cloud. The cloud is ephemeral and dynamic, meaning you can miss things in between scans and compromise compliance. An agentless workload security solution with insights into identity and data risks is the way to go here.

Access Tracing

Access tracing is the process of recording every call to every external function, service, or data store the application needs to function. If you were to use a more formal name it would likely be, "Authentication and Authorization Auditing."

With regulatory compliance in some industries going as far as needing to track who updated or even viewed, each and every record, tracing every unique call to every service allows that information to be retrieved if and when regulators formally request it.

This level of transaction logging within every application provides more than enough information to build a usage pattern and even apply ML or AI to the dataset to find anomalies before they are discovered by external auditors. These anomalies could be anything from a clerk in one department requesting results from another department or an ex-husband trying to look up his ex-wife's bank balance.

This type of tracing is invaluable to security, cloud, and compliance teams when it comes to passing routine audits. There are other types of tracing that apply in a security context, but those are much more focused on defect and performance tracking.

Maintain Least Privilege

The basic idea behind the principle of least privilege is to grant only the permissions an identity (person and machine) needs in order to accomplish its prescribed function - nothing more. This can be done by assigning permissions to each and every identity individually, which at scale is an absolute nightmare to maintain and audit.

The other approach is for every application to define a set of roles that control the various personas it has available - like individual roles for selecting, updating, and deleting - and then assign roles to users as required. With this role-based approach, it can be quickly determined who has been granted access to which role. On the flip side, it's easy to see what access a user has across the entire enterprise.

Once you achieve Least Privilege, maintaining it is only possible with continuous insight into all identities, their effective permissions, and their data activity.

Operationalize Your Compliance

The cloud is about scale and scope. Operationalizing security and compliance procedures is critical. Your organization should automate workflow, remediation, and prevention capabilities across your cloud. Look for platforms that leverage automation. This can mean offering pre-built security and compliance frameworks and automating remediation efforts with bots to take low-hanging fruit off your development or security team's back.

Let's say drift is detected - triaging and executing remediation in a timely and efficient manner matters. Leverage a platform with capabilities like assigning certain individuals or teams to specific tickets so the right people are notified.

Lastly, insight into your entire cloud footprint - identity, data, platform, and workload risks - informs business sensitivity and therefore prioritization. The right platform takes this insight into consideration and prioritizes compliance or security concerns for you.

Reaching compliance

Compliance is serious business. By extending these practices and principles to all areas of an application stack, the decentralized nature of a cloud-native application and its underpinning data can be managed, tracked, and controlled as required. It is best to work with vendors that are designed for cloud native compliance, like Sonrai Security, to help automate the tracking of all your cloud resources - from configuration to account access, to activity monitoring - across all the public clouds in your organization.

With Sonrai Security, data sovereignty, data movement and identity relationships are all monitored to ensure conformance to sovereign, GDPR, HIPAA and other compliance mandates. Compliance capabilities include:

  • GDPR compliance: Geographic sovereignty is confirmed and data asset discovery is supported. PII data movement is monitored.
  • NIST, ISO, HIPAA, PCI and other compliance reporting: Mandate specific reporting and continuous audit of all identity, developer and privilege access to regulated data assets.
  • Data sovereignty monitoring: Data classification and location is determined. Movement between geographies and access from alternate geographies is monitored.
  • Data asset inventory: Unreported data assets will be found, identified and monitored across cloud accounts and developer teams.
  • Continuous monitoring of configuration data: Cloud configuration data, identity, data access, and data movement are collected, normalized, and available for compliance and audit teams.
  • Configurable frameworks for your company and industry: Out-of-the-box support is available for major government and industry regulations. Frameworks can be easily customized for unique company requirements.
  • Flexible third-party data connectors: Out-of-the-box support is available for industry leading cloud providers (e.g., AWS, Azure, and GCP) and data stores (e.g., Aurora, Cassandra,Gremlin, MongoDB, MSQL, MySQL, Oracle, Postgres SQL, SQL, SQL Server, etc.)




Eric Kedrosky, CISO, Sonrai Security

Eric Kedrosky 

Eric Kedrosky is the CISO at Sonrai Security. He's been in the security game for over 15 years, with stops as head of cyber security at major financial & telecom institutions in the US & Canada. Eric has built cloud security competencies from the ground up for enterprises rich with sensitive customer data in addition to helping many organizations migrate their security from on-premise to public cloud. Most recently, he was the head of security for a financial crime services company.

Today, Eric is tasked with leading Sonrai's own security efforts and staying on the forefront of cloud security tech. He's equally interested in the most bleeding edge breach techniques and the more common mistakes that enterprises are making en masse as they move to cloud.

Eric is based in St. John's in Canada. He's an avid yogi and loves the outdoors; when he's not talking security, you'll find him taking in the natural beauty Newfoundland has to offer.
Published Friday, December 09, 2022 7:39 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2022>