Compliance is no longer a once & done thing.
Merriam-Webster definition of “compliance” – the act or process of doing what you have been asked or ordered to do. It is no wonder that folks get defensive when compliance comes up. The conversation seems to generate audible groans also. But is it difficult to get compliant and stay that way? It depends on many factors, but the cloud can help.
In 2004, compliance came knocking on my infrastructures front door in the shape of Payment Card Industry Data Security Standard (PCI DSS.) At the time, security as it related to PCI was talked about like a new concept. In practice, it turned out to be mostly documenting what was already being done and closing some gaps that, until then, may not have been considered.
Let’s say that again, “in practice, getting PCI Compliant turned out to be mostly documenting the controls that were already in place.” Did we call them controls? Not exactly. For example, was there a password policy? Yes, there sure was, check. Was there a firewall policy? Yes, there sure was. Was the data protected? It was. The details are what make it complicated and also accelerate you from the typical box checking audit into real security, but it is a start. Without a start, the finish is somewhat impossible, so let us be ok initially with the box checking for a moment.
There is a tremendous volume of documentation and checklists out there on becoming compliant, so we will not try and duplicate that. There is also much overlap in the compliance frameworks, and that is good because when you go through one, it will make the next one easier.
For data compliance, if you are considering a move to the cloud, then you are in luck. A benefit from cloud computing is that you have fewer controls to audit. The major cloud providers take over the physical aspects of data security. Meaning, they own the facilities, systems, and infrastructure to host your data. Less controls for you to check! Don’t take this for granted, make sure you get with your cloud provider to get copies of their certifications and compliance docs. Fewer controls to check also can be equated to less $ spent when conducting an audit.
For the protection of the actual data, those same cloud providers that took over your physical controls have empowered you with all of the services needed to implement security. The key here is that you still own data security, thus the shared security model. A key benefit is that the cloud provider has also given you tools needed to automate all of the inspections. Granted, they may not be on a clipboard with a checklist, but the review of all the items on the checklist you are responsible for can now be done with an API call.
While it may be challenging to embrace, it is there. For example, if you take the PCI framework, six goals and twelve requirements as noted on the first page of this document you start to get a feel for this. Yes, it can be simple, and it can be automated. Let’s take just one control as an example:
Build and Maintain a Secure Network. Again, your cloud provider has all the checks necessary around the hardware; you own verification that the networks you manage are secure. For that control, there are two requirements to be met:
- Install and maintain a firewall configuration to protect cardholder data.
If you use AWS, this accomplished by configuring three items, Virtual Private Cloud (VPC,) EC2 Security Group, and VPC Network ACL. These three configuration items, correctly set, will net you a check in the box for that requirement. Granted, the properly configured aspect is defined by your applications requirements. To address this, you need to ensure that the application is documented, so you can correctly set up the firewall, document it, and now that it is in AWS, automate the inspection.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
This requirement has two aspects, system passwords, and security settings. You don’t want to use your vendor defaults. If you use AWS, the users, passwords, and policies are established with the Identity and Access Management (IAM) Service. You most likely already have a corporate user, group, password policy practice and IAM allows you to replicate that to the cloud fully. For the second part, it takes a few extra steps to make sure you are not using the vendor provided defaults. Since cloud providers make it easy to use, there are some security gaps that need to be reviewed, mainly around unused resources and open network allow rules. Ideally, you can choose to start fresh new VPCs, with configurations unique to your application, or you can leverage the defaults and lock them down to only what is needed. Either way will net you another check in this box.
Step one on the twelve steps to PCI compliance complete. When you review the referenced PCI document, you can see how taken one step at a time, it is not just possible to be PCI compliant, it is highly likely you are already taken steps in that direction. The benefits of the PCI document is that you do have a checklist that can help validate your work. However, a checklist is not validation that your application is secure. That is an important distinction. The PCI checklist is a good start, but in and of itself does not guarantee security; thus you cannot claim security because you are compliant. To secure your application is a different post.
How often is the checklist checked? In between checks, the environment, is likely undergoing change, so how do you know if you are compliant at any point in time? And while the auditors may not be as interested in it, as a security professional, you are. Again, we look to the cloud for help, because now you can automate your checks just like you automate your deployments. That is correct; you can self-audit with every deployment, several times a day, and on-demand because you are only inspecting the configuration of an item in the cloud. If the item is configured correctly, you pass. If it is not, you need to remediate the issue. Because you have automation, you can remediate any offending item that is not compliant, thus ensure continuous compliance. A buzz word yes, but it is achievable with the tools offered by cloud providers today.
The challenge now becomes do you have time and resources to build the automation for security validation in line with your deployment?