There is no shortage of cloud security compliance tools. Many, like Cloudaware, DivvyCloud, CloudHealth support all three leading cloud providers: AWS, GCE and Azure. These tools come shipped with compliance policies that will evaluate your cloud infrastructure against best practices laid out by the cloud providers themselves. Cloudaware supports CIS Benchmarks for AWS, Azure and GCE. AWS offers Trusted Advisor and Security Hub which also supports CIS benchmarks. Point is compliance checking should be a continuous, daily process. Not something you hire contractors to do annually.
2. Deploy Checks and Balances
Compliance program will not be successful without accountability and proper management structure. For example, if the team that runs that compliance checks is also responsible for remediating them, it is very likely that many issues will remain unresolved. Self-policing is not a good idea. Successful compliance programs involve at least 3 different stakeholder types:
- Team that runs compliance checks e.g. cloud security, cloud compliance
- Actual account owners, engineers who remediate identified issues or appeal violation.
- Management team that tracks key KPIs such as resolution time and violation trends.
3. Create Violation Lifecycle Management Process
The recent incident with Capital One demonstrated that it pretty much does not matter how good your compliance tools are. You can have the best tools but without violation-handling process in place they are useless. Here are top tips for creating successful violation lifecycle management process.
- Create assignment logic so that violations are assigned automatically to the appropriate teams. If you pile ALL violations to one team or one person, it is just not realistic to expect them to remediate everything. Violations must be assigned to specific teams and departments.
- Integrate with ticketing systems your company already use: Jira, ServiceNow, ZenDesk, ServiceCloud, etc.
- Create appeals process. Without appeals process in place, you will end up creating a culture of where it is OK to ignore violations and that’s a taboo you should avoid at all costs. Cloudaware Compliance Engine, for example, generates violations that come with an appeal button. This allows team responsible for remediation to request exemption.
4. Measure and Report
The key KPIs to track are
- Number of high, medium and low violations
- Violation age (how long does it take for violation to get remediated or exempted)
- Number of policies. This is important because as you add new policies number of violations might increase substantially and make teams look worse off simply because new checks have been added.
- Number of objects inspected for same reason as number of policies should be tracked. For example, if you add a new cloud account through acquisition or some other operational event, number of violations will spike because your infrastructure footprint has increased.
5. Avoid Common Mistakes
- Think you can automate remediation of all violations. This is naive. Yes many violations can be remediated automatically like deactivating keys that have not been used in over a year but remediation automation as a strategy is not sufficient.
- Think you can “templatize” and automate everything in such a way that violations would not be created in the first place. It is a great way to reduce number of violations but using it as a sole strategy is also not sufficient.
- Not providing a way to appeal for exemption. This is by far the worst mistake because it encourages culture of ignoring violations. Violations must be dealt with swiftly by either remediating them or applying and receiving exemption.
About Cloudaware Compliance Engine
Cloudaware Compliance Engine is a state of the art compliance automation software that comes pre-built with violation handling workflows and large template of policies to support customers with general needs as well as regulatory requirements like PCI and HIPAA. Our compliance engine has over 400 policies including CIS benchmarks for AWS, Azure and GCP. Compliance Engine is integrated with Cloudaware CMDB making it easy to understand how compliance violations impact service delivery and to route violations to most appropriate teams. Unlike competition compliance engine allows developers to not only customize existing policies but also develop their own custom policies. Large enterprises with hundreds of cloud accounts and thousand of instances trust Cloudaware with enforcing security controls without introducing collateral damage such as API throttling or spikes in API usage and costs.