Compliance, Security, and Governance: What your cloud needs today to thrive tomorrow
When it comes to building and maintaining a solid foundation for your cloud infrastructure, there are 3 essential ingredients you can’t do without: Compliance, Security, and Governance.
Although there is some overlap between these, each of these pillars is needed to support a reliable cloud environment and avoid major problems in the future.
In this article, we’ll look at how you can implement these essential elements, and give you some practical tips that make it all so much easier.
Separating the variables
First, let’s look at what each of these pillars consist of, as this will help you understand the different tasks involved, and the tools you need for each one.
It’s tempting to think about these as being three ‘layers’, with each built on top of the last (Compliance, Security, and then Governance), but it’s important to recognize the critical importance of each pillar on its own, and the different role each one serves.
Compliance
Compliance is all about meeting the legal and regulatory requirements that apply to your infrastructure. These can vary depending on the specific industry and use case - for example, if your project is being used to store or access patient data in a healthcare setting, or if you need to process payments or other sensitive information.
Examples of some common standards include: GDPR, ISO/IEC 27001, PCI-DSS, HIPAA/HITECH, FedRAMP, FIPS 140-2, and NIST 800-171. Without complying with these requirements, you can get into serious trouble and lose clients. Compliance covers multiple domains such as data handling, security standards, reporting/logging, and potentially much more, depending on the use case.
Security
Good cloud security isn’t just about complying with the ‘bare minimum’ security standards set by industry regulations. Your security should always be a top priority, as it protects your customer’s data, your most valuable assets, and safeguards your work.
Even if you have no ‘valuable’ data to steal, security is essential to prevent malicious attacks that can vandalize months of hard work and drive away customers. Good security consists of a combination of secure procedures and rules (see Governance, below) and active threat detection measures like pentests and vulnerability scanning.
Governance
Governance sets the rules. It enforces the ‘right’ behaviors, so you can continue to be compliant, secure, and accountable. As well as covering the critical areas of Compliance and Security, Governance is essential for keeping costs under control, projects on schedule, and much more too.
Because the Cloud can get incredibly complex over time, it can quickly become nearly impossible to gain any real visibility over what’s going on, who’s doing what, and how. For this reason, rigid rules act as a guardrail against unsafe methods, and ensures your complex cloud infrastructure develops according to a safe plan.
So, in a nutshell, Governance sets rules for a lot of different things, including cost control, identity (and access) management, configuration consistency, security policies, and standardized deployment processes.
Governance is a huge area of responsibility; it sets out all the rules and procedures needed to meet Compliance, Security, and every other major requirement for your Cloud. In many ways, Governance is what puts Compliance and Security into action, so let’s take a closer look at some practical ways for implementing Governance for your cloud, and how it helps achieve compliance and security.
Governance in motion: best practices for a secure and compliant cloud
It can seem like a lot – because it is – but the following practical steps can take a big chunk out of this mammoth responsibility.
Encryption
To ensure that your sensitive data remains secure, Governance should set out specific guidelines that guarantee your data is encrypted at rest, and in transit with secure protocols.
This is one of the most important forms of security, as it makes sure information is only accessed at the right time, and by the right people or applications. Database files, for example, should be encrypted in their ‘rest state’ on disk so that only the database can read it.
For data in transit, SSL/TLS protocols can ensure the network connection disallows the possibility of any intermediate party being able to read data being transmitted. It also avoids the possibility of tampering with information en route – important for any application, but especially when it might be a target for hackers or malicious state actors.
Audit logs
What just happened? Thanks to your audit logs, you can travel back in time, and see. Audit logs help with achieving accountability by recording events, changes, procedures, and other activities. These can be essential for meeting regulatory compliance, but also have the effect of dissuading ‘deviant behaviors’ by bringing accountability into the frame.
At Blackbird, we use AWS CloudTrail to log all interactions and activity on AWS. This tool is very comprehensive and easy to set up. According to AWS, CloudTrail is already compliant with many of the key regulations like PCI, SOC, and HIPAA – so that’s one less thing to worry about.
Cloud security posture management (CSPM)
With so many threads to keep hold of, there’s a clear need for an automated CSPM tool that can help monitor your cloud and identify potential vulnerabilities. This is especially important as your cloud infrastructure grows and becomes more complex. As well as monitoring and alerting you to potential risks, a good CSPM tool should give you the ability to respond.
Without being able to gain true visibility, CSPM is about as good as it gets. It automatically searches for, detects, and fixes policy drifts – so your cloud is always following the right rules, even when connecting to other systems.
At Blackbird, we really like working with AWS Security Hub. It gives you a really clear overview by aggregating all its findings and putting them in one place so you can act immediately. If you want to keep on top of your security posture, this one tool can give you the centralized view needed to maintain consistent security postures across all your cloud environments as a company.
Intelligent threat detection
This is another automated tool that uses an algorithm to analyze the behavior of users, workloads, and containerized applications for anything ‘out of the ordinary’. Based on atypical behaviors like remote access from a new location, unusual API calls, login attempts, or other suspicious activity, the algorithm will identify and flag potential malicious activity.
AWS offers a handy tool for this: AWS GuardDuty. This combines machine learning, network monitoring, and detection of malicious files, giving you a powerful security overview for your entire AWS account. There are numerous other tools out there too, such as Falco, but these vary in terms of capability and applicability – so the ‘best tool’ really depends on the use case.
Container and workload scanning
You can never have too many layers of security. As well as intelligent threat detection, which is great for discovering active threats (and reconnaissance activities) from malicious actors, it’s still worth scanning your containers and workloads separately.
This can uncover vulnerabilities that haven’t yet resulted in ‘unusual behavior’. A tool like AWS Amazon Inspector can scan your workloads and Amazon ECR can provide static scanning of container images. Combined, these give you almost continuous monitoring and protection.
What do you need to do next?
It’s not just about what your cloud is doing today – it’s about the long game. What possibilities are awaiting your cloud in the future? Will you need to meet new regulations as your cloud expands and you start working with new clients or operating in new sectors?
With a solid foundation for your cloud, you are in the best position to know where you’re at right now, and what you need to do to meet new standards in the future. Hopefully, the tips above will give you a head start on meeting the most common requirements for a secure cloud.
Want to talk about the details of your project? Get in touch, and we’ll help your project fly!
