This is a guest post, the opinions and thoughts expressed are those of the author and do not reflect on Techaeris. The authors full bio is located at the end of this article.

Strategizing cloud compliance with a traditional enterprisemindset is detrimentalfor all organizations.

As organizations continually move their workloads on cloud platforms, they need to ensure their data, workloads, and processes meet compliance requirements. The traditional mindset to achieve compliance on cloud is the biggest hurdle organizations face and to overcome requires a perspective change and understanding the challenges is paramount to achieve what is needed.

Hereare some challenges that companies face and I will share some of my insights toexplain how to tackle the hurdles.

Despite significant efforts from cloud providers in creating awareness of ashared responsibility model, providing security controls and training, organizations still struggle to understand the Shared Security Model and make mistakes in delineating the responsibilities.Organizations end up with critical security gaps on their cloud assets assuming its the Cloud service providers responsibility leading to potential breaches.

Compliance requirements/objectives remain the same across cloud computing layers. However, the accountability to achieve a specific requirement on a SaaS vs an IaaS platform may be completely different with one requiring the Cloud Provider to implement the same whereas others require the customer.

For example, data at rest encryption requires meeting compliance objectives on a SaaS platform as compared to an IaaS service that has different responsibility models and implementation sets.

Organizations try to retrofit their existing enterprise securitycontrols for assessing and meeting their compliance needs on Cloud to save oncosts and time. This leads to erroneous results and will cost more interms of time and effort to fix the failed compliance objectives and securitymisconfigurations.

For example, PCI compliance mandates assigning a unique ID to each person with computer access which is a straightforward use case in a traditional enterprise. However, this specific requirement translates into several key use cases in the content of an IaaS service. A person can access IaaS resources via its management portal, APIs, Command Line or even from an end workload via native IAM Roles.

Traditionally security and compliance policies are documented in large and difficult to comprehend paper documents. Post software production, security officers/personnel validate the software to ensure they meet the documented policies which often fall short due to time constraints on delivery, go to market pressure and incorrect understanding of the software.The security and Development teams relationship gets affected in the due process which attributes to the creation of non-resilient and insecure software most of the time.

The cloud ecosystem isephemeralin nature, leading to an extremely fast environment and making it extremely difficult tomanage and track the drift. Enforcing security controls to maintain the compliance standards in a rapidly changing environment is complex, requires discipline, redesign of legacy applications and can be a costly affair if not done correctly. Always remember that meeting cloud compliance requirements is difficult, staying compliant is more.

The following are the salient ways to enable organizational changes which are instrumental in bringing a change in perspective, change in culture and eventually leading to achieving and staying compliant in a Cloud ecosystem.

Cloud providers have invested a lot in creating awareness and a knowledge base articulating their responsibilities.Cloud adoption strategy should include investment in learning and training the teams about responsibility shift.

Microsofts shared responsibility guideandAWS Shared responsibility guideare great starting points to learn. Delineating and defining responsibilities for IaaS, PaaS and SaaS service models as early as possible is the mantra to success.Moving toCloud does not mean organizations are off the hook to secure their workloads or data on cloud.

The rise in devOps adoption has significantly impacted the ways in which organizations are producing software. With this change in methodology, security and compliance controls need to shift left and not be implemented closer to production.Conversion of paper-based security and compliance policies to code templates is the fundamental change, organizations should be willing to adopt.

Starting early and converting security as code is the answer toachieve compliance at cloud scale.

Managing drift in Cloud is difficult due to its ephemeral and high-velocity nature. Automation and real-time enforcement of compliance policies is the mantra to stay compliant.

Automation allows organizations to enforce security policies and security controls homogeneously in an ever-changing cloud ecosystem. This could further be augmented with real-time enforcement of compliance policies, which is an absolute necessity to stay compliant. In-house automation as well as products likeChef,Puppet,etc. can be used to automate and manage drift and meet compliance objectives (disclosure Saviyntis a partner ofChefSoftware)

Organizations in the regulated industries are spending significant time in defining security and compliance controls to meet the stringent and complex compliance mandates. Investments in external consultation or third party products not only expedite the process but also ensure the correctness of the mappings.

Organizational change in culture and mindset are fundamental shifts, which needs to occur at the grassroots level to ensure asuccessful, secure and compliant cloud adoption and can make a hugedifference in your organizations compliance fulfillment.

About the Author: As Saviynts Chief Cloud Officer, Vibhuti Sinha, is the owner of Saviynts cloud platform and products of Saviynt (www.saviynt.com ) As the owner of Saviynts cloud platform, he is responsible to deliver Saviynts IGA and cloud security offerings as services to its customers across the globe. He is also responsible for the strategy and innovation of products to secure various cloud providers, cloud applications and platforms. He has 16+ years of experience in defining security vision and roadmap, building security solutions, defining IAM strategy and implementing large scale security platforms for Fortune 500 organizations.

Last Updated on January 30, 2020

Here is the original post:

A change in perspective is the key to achieving compliance on the cloud - Techaeris