More users than ever before are leveraging cloud services, but many have limited experience in securely configuring the cloud services they use. This leads to misconfigured resources and the potential for data exfiltration or other security breaches. In fact, Gartner predicts that through 2025, 99% of cloud security failures will be the customer’s fault and 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.
To address emerging security and compliance challenges, cloud security teams need to rethink how they operate. In this article, we’ll take you through how to build a roadmap to successfully manage cloud compliance and secure your public cloud environment.
Building your cloud security and compliance roadmap
1. Identify key stakeholders
We’ve said it before, security is a team effort. In your cloud security and compliance roadmap, start by identifying your key stakeholders. In addition to security personnel, you should include application owners, developers, and compliance and risk managers. Each one of these teams has specific requirements that need to be addressed to ensure security and compliance of your cloud infrastructure. By identifying and involving these teams, you’ll help ensure you have a holistic view of requirements.
2. Collect and prioritize requirements
The next step in building your cloud security and compliance roadmap is to collect requirements from key stakeholders and identify an optimized set of compliance controls. The goal is to have meaningful conversations with developers and other teams to narrow down the critical violations with the biggest impact on the organization’s overall security posture.
Customers often start by protecting critical data, assets, and production cloud accounts. Ensure that where data lives, the cloud service's security controls are enabled. Identify servers that are publicly exposed and change port configurations where public access isn’t needed. These are just a few examples of security controls to consider.
Many organizations choose to focus on compliance frameworks to define their control strategy. Depending on the data that your organization handles, you may need to focus on controls required by regulators in your industry. Regardless of the approach you choose, every security team should build their list of specific controls based on their organizational context and business priorities.
3. Implement internal cloud security and compliance standards and policies
Once you’ve established your organization’s key requirements, internal standards and policies need to be put in place to enforce them. With the help of a cloud security solution, you can set in-band or out-of-band security guidelines or guardrails. Here is a brief breakdown:
- In-band: A policy that’s evaluated before a user takes an action that would potentially violate best practices or rules.
- Out-of-Band: A policy that’s evaluated after a best practice or rule violation is detected.
- Guideline: A policy that communicates a risk boundary and informs the user of the best practice, but will not take action to prevent or correct the action.
- Guardrail: A policy that both communicates and takes action to correct a violated best practice.
To learn more about implementing and customizing cloud security policies, see our article: Customize Cloud Security Policies and Actions with CloudHealth Secure State.
4. Improve cloud security with automation
Once controls are in place, organize violations by those that can be easily automated and those that may require human intervention. Then, you can improve threat detection and free up time for your security personnel by using auto-remediation for those violations that don’t require manual action. To learn more about auto-remediation best practices, see our article: Winning the Cloud Security Race: Remediate Misconfigurations at Scale.
CloudHealth Secure State Custom Compliance Frameworks
CloudHealth Secure State helps teams strengthen their cloud security posture by monitoring deployed resources and accelerating compliance programs. Our compliance capabilities allow users to continuously monitor resources through the lens of industry compliance standards, such as CIS, PCI, NIST 800-171, and SOC2.
At VMworld 2020, CloudHealth Secure State announced custom compliance frameworks, which allow users to customize and create standards that align to their company’s unique requirements.
Compliance frameworks are a hierarchical collection of Control Groups and Controls. Control Groups are usually thematic groupings of technical controls, and Rules are the policy checks in place to validate and prove that you’re adhering to those controls. Modeled from common industry standards, we’ve authored a library of over 500 cloud security and compliance rules, which are mapped to technical controls within the CloudHealth Secure State platform.
Below is a diagram that shows the relationships between compliance frameworks, control groups, controls, and rules within CloudHealth Secure State.
When implementing internal standards, CloudHealth Secure State’s custom compliance frameworks can help you quickly narrow down and structure the specific services, types of rules, or combinations of rules your organization needs for its security posture.
Once your frameworks, controls, and rules are established, monitoring can then take place from the CloudHealth Secure State Compliance Dashboard.
In combination with built-in compliance frameworks, custom compliance frameworks help users target specific security controls and improve compliance according to their organization's unique security and regulatory needs. For steps on getting started with custom compliance frameworks today, refer to our compliance management user guide.
And for more information about how to mitigate cloud security and compliance risks with CloudHealth Secure State, see our technical report.