Guest author Chris Hughes, CISO and Co-Founder of Aquia, offers a view of the "Shared Responsibility Model".
Anyone who has ever worked in compliance can attest to the fact that it can be cumbersome and tedious. It often involves screenshots, spreadsheets, and other inefficient (and not-so-exciting) activities.
But how does cloud change traditional approaches to compliance and security? And how can maximizing the capabilities of cloud save your organization time, stress, and potential regulatory impacts for non-compliance? Let's have a look.
What is the shared responsibility model?
One of the primary benefits for cloud consumers related to compliance is the shared responsibility model (SRM).
The shared responsibility model creates a scenario where the consumer is no longer responsible for the entirety of the security controls from their applicable frameworks. Instead, some are met by the cloud service provider (CSP), some are shared controls between the CSP and the consumer, and some are left to the consumer.
These controls can be inherited by organizations leveraging cloud service offerings. This helps tremendously, especially for SMBs (small-to-medium businesses) without robust infrastructure, IT/cybersecurity staff, and budgets.
Many of these compliance controls equate to financial investments, expenses, and resource allocations in both time and staff. By leveraging the shared responsibility model, you can lean into the CSP and take advantage of the massive investments they have made, at scale, serving thousands of customers around the world under every compliance framework imaginable.
IaaS and compliance
For example, in the Infrastructure-as-a-Service (IaaS) model, organizations no longer need to be concerned with the underlying physical infrastructure, hardware and its associated security controls.
PaaS and compliance
Taken another level higher, in Platform-as-a-Service (PaaS), organizations can utilize managed services to not only avoid being concerned with the underlying hardware, but also the operating systems, and their associated patch and update cycles, something that's cumbersome for many organizations and exploited vulnerabilities that had patches available is a common occurrence.
SaaS and compliance
Lastly, at the Software-as-a-Service (SaaS) layer, customers don't have to worry about infrastructure, operating systems or software development, they simply consume the available software to support their business activities. Each layer of abstraction in the consumption model comes with a tradeoff of less control, but also less responsibility, a key consideration that organizations must make based on their risk tolerance.
A customer can seek out what cloud service offerings and features align with their compliance framework(s) and utilize them as they see fit to architect solutions for their organizations. Given that most cloud data leaks and breaches we have seen in the last few years occur on the customers side of the shared responsibility model, due to customer misconfigurations, it would make sense for customers to lean in to the SRM and maximize the value the CSP offers them and instead focus on their organization's core competencies and business activities.
Templates and IaC simplify compliance
Large scale CSP's such as AWS, Azure, and Google Cloud (GCP) are specifically tailoring offerings to help expedite and alleviate the compliance burden on their customers.
CSPs are producing policy document templates with cloud specific inputs, which can be taken by the consumer and populated with their organizational data in support of meeting specific compliance frameworks. This documentation is often time-consuming and strenuous and being able to leverage templates helps ease some of that burden.
In the cloud, infrastructure and architecture are quickly becoming code. This is occurring through offerings such as Azure Blueprints, AWS CloudFormation and Terraform from HashiCorp — and other CSP-agnostic options. (Snag ACG's ultimate Terraform cheatsheet for more on that, by the way.)
Since the infrastructure and architecture is now code, which includes being version-controlled and auditable, it's also portable.
CSPs and third parties can provide Infrastructure-as-Code (IaC) templates to quickly spin-up compliance-oriented architectures aligned with various compliance frameworks for customers to simply take, provision, and run with. This massively cuts down on the time needed to custom architect and implement environments from scratch to align with compliance security controls.
It can also help organizations without a large IT/cybersecurity expertise but that desperately need to get an architecture and environment in place to operate in, which aligns with their applicable compliance framework(s).
What is Compliance-as-Code?
Building on top of IaC is what is known as Compliance-as-Code (CaC). CaC often means defining your compliance requirements into a machine-readable language that can be automatically deployed, tested, monitored, and reported on across your entire enterprise environment.
This gives you the ability to know exactly what is occurring, what compliance deviations exist, and if taken further, automatically remediate deviations to said compliance requirements. This takes what often exists as PDF and robust policy documents and integrates them with the technology stack quickly being adopted by most organizations. This ensures a higher probability of compliance adherence, given that the requirements and controls are integrated into the codebase rather than existing in documentation that many will never go read or be familiar with.
What are reference architectures?
Adding on top of IaC templates that can quickly be provisioned by customers, AWS, Azure, and GCP are also providing reference architectures for customers to utilize as they build their own architectures, if desired.
This source of guidance is extremely valuable to customers and provides insight from hyperscale providers that have helped thousands of customers architect environments tailored to specific compliance frameworks before. These architectures often include best practices in a variety of areas such as operations, resilience, cost-optimization, and security.
As organizations increasingly adopt Continuous Integration/Continuous Deployment (CI/CD) pipelines as a means of promoting code and provisioning infrastructure, you can also integrate security scans directly into the pipeline to catch insecure configurations and compliance deviations BEFORE they ever get provisioned in the environment to begin with.
When we talk about "shifting security left," these sorts of activities are the epitome of such a process. You mitigate the number of vulnerabilities you are scanning, tracking, and remediating if you prevent them from ever entering the environment to begin with.
APIs, on-demand assessments, and drift detection/remediation
One of the most valuable areas where cloud is breaking traditional compliance paradigms is around the topic of on-demand API-driven architectures and environments.
In traditional on-premises compliance activities, you're often left to resort to techniques such as sampling and screenshots to both evaluate the systems being assessed and to prove that configurations and settings match compliance requirements. This is time consuming, inefficient, and most importantly doesn't provide a full level of assurance that the environment meets the compliance controls (since you're only sampling a subset of the environment).
In the cloud, these environments are API-driven, meaning you can constantly assess their compliance and security posture on-demand and across the full scope of the systems you're targeting or interested in. By using services such as AWS Config or Azure Monitor/Azure Security Center, you can evaluate your resources and environment configurations for compliance with specific frameworks of your choosing.
Taken a step further, not only can you query compliance on-demand through invocations, but you can also implement notifications and auto-remediations if desired to revert non-compliant configurations back to a compliant state. This ensures that if someone was to either inadvertently or maliciously make configuration changes that change the compliance (or security posture) of your environments, you can automatically remediate those changes back to a compliant and secure state.
No more screenshots, no more sampling, and no more manual interventions to restore compliant and secure environments. Instead maximize on the use of API and event-driven architectures, coupled with automation, to ensure both compliance and security.
Given that compliance frameworks are often tied to fundamental and critical security controls, automating remediation of non-compliant resources and configurations is an excellent way to narrow the window of an attack due to a misconfiguration of vulnerable configuration.
Potential cloud compliance solutions to explore
Leading CSPs such as AWS and Azure have built robust offerings around compliance that are worth exploring, as well as emerging third-party SaaS offerings such as JupiterOne, which couple diverse industry expertise and multi-cloud integrations to truly provide value to customers.
- AWS has developed what is known as Conformance Packs. These are collections of AWS Config Rules along with remediations actions, that you can easily deploy as a single entity into your AWS accounts, regions, and AWS Organizations. These are YAML templates, containing various AWS managed and custom rules and remediation actions. Templates include controls for frameworks such as CIS, DoDs emerging CMMC, FedRAMP, NIST 800-53, HIPAA, AWS's own operational/security best-practices, and more.
- AWS also recently launched AWS Audit Manager, which helps to continuously audit AWS usage, evidence collection, and reduce manual efforts. It can utilize pre-built frameworks such as FedRAMP, GDPR, Nist 800-53, CIS Benchmarks, and more, as well as custom frameworks and controls you tailor for your individual organization's needs. It can then be used to create audit-ready reports of your compliance.
- Azure's Security Center has developed what is called the "Regulatory Compliance Dashboard." This shows your compliance with selected compliance standards as well as all their associated requirements, mapped to applicable security assessments. You can not only see compliance in the UI dashboard, but you can download PDF reports documenting your current compliance posture with various frameworks such as SOC, CIS, PCI DSS, NIST 800-53, and more. You can then resolve non-compliant items to increase your compliance scoring.
- Another solution to consider is JupiterOne, a cloud-native SaaS service capable of managing all elements of cyber asset security. The J1 solution helps connect the relationships across all your cyber assets (devices, apps, networks, data, users) by rapidly adding context to your compliance, cloud security, IAM, and vulnerability management processes. Ultimately, the platform helps teams achieve compliance faster while also creating a continuous governance model to avoid compliance drift. JupiterOne currently supports several compliance frameworks (e.g. CIS controls, SOC 2, HIPAA, NIST, FedRAMP, PCI, and more), but they also offer the ability to create customized frameworks if you have more advanced requirements. Free, lifetime license.
Compliance in the cloud: A new paradigm
Cloud has disrupted many traditional ways of doing business and organizational activities. Compliance will be no different. Through the introduction of the shared responsibility model, infrastructure-as-code, templatization, and API/event-driven architectures, compliance will see numerous innovations and efficiencies impacting the field.
Organizations can take advantage of these innovations to save themselves time, money, and stress. It lets them focus more on their core competencies, mission, and better serving their customers — all while leveraging cloud computing to do so.
Utilizing some of the technologies, approaches, and capabilities discussed above allows for benefits for developers and system owners, as well as auditors and compliance professionals.
On the system owner side, organizations can automate and expedite much of their architecture deployment and internal assessment activities, giving them improved visibility of their security posture and compliance.
From the auditor and compliance SME perspective, they can avoid much of the manual footwork involved when working with organizations. Rather than asking for screenshots and shoulder surfing, they instead can ask for automated reporting of compliance, leveraging either CSP-native or third-party tools as discussed.
With the increased velocity of data breaches and cybersecurity incidents, it's likely that we'll see MORE compliance frameworks, requirements, and rigor coming to organizations and various industries. With that reality in mind, organizations should look for ways to improve security activities and ease their compliance burden, improving security posture by leveraging innovative technologies. Utilizing the solutions mentioned above is an example of doing just that, all driven by cloud.
This article was originally published on "A Cloud Guru", and has been updated to include information on JupiterOne.