Once thought of as speed bumps in the path to deployment, security and compliance are now seen as critical ingredients that help organizations differentiate their offerings in the market, win more deals, and achieve mission-critical goals faster. We hosted a webinar to discuss how organizations, like Jive Software, are leveraging the cloud and are using automation in their security and compliance processes to accomplish more, do it faster, and deliver better results.
We had a great discussion and wanted to provide a post-webinar recap of some of the questions from our audience that we ran out of time to answer. In this blog our guest speakers from the webinar, Matt Willman, Principal Architect for FedRAMP at Jive Software and John Martinez, VP of Solutions, will answer those questions and share their experience when it comes to driving value from compliance in the cloud.
Q: Matt, how do you use Evident.io to assist with your FedRAMP POAM reporting?
[Matt Willman] Luckily we were able to shore up any issues (with the help of Evident.io) before starting the audit, so that hasn’t been a problem to date. Having said that, the reporting capability of Evident Security Platform (ESP) will prove valuable going forward, where we can attach the a previous report showing an issue, and a subsequent report showing that we’ve resolved said issue to our POAM.
Q: ESP seems to focus primarily on compliance at the infrastructure level. At a high level, how do you monitor/report on compliance in the interactions between development, tech support, customer success, etc. and production environments? Can ESP help there, as well?
[Matt Willman] ESP is primarily focused on the AWS layer (we use the Infrastructure term to encompass more than just AWS Infrastructure). As you indicated, there are other areas with significant compliance burdens, and we use a suite of tools that address the different areas we’re responsible for monitoring.
[John Martinez] At Evident.io, we also use a variety of tools to track the various activities required for compliance. We rely on ESP, of course, to ensure that our cloud services are configured correctly and satisfy controls necessary for compliance. For other activities like change management, we leverage Github or our ticketing system to track changes and approvals. A big part of ensuring compliance is also making sure that you are communicating to employees to ensure they know what is right and wrong, and then documenting those communications and trainings so we have them handy for the auditors later.
Q: Regarding automation, which one do you recommend that my team learn and master between CloudFormation and Terraform? What is the difference between the two? Is ESP available for other cloud platforms like Azure and Google Cloud Platform?
[Matt Willman] I can answer the automation part. Although both CloudFormation and Terraform are automation platforms, there are significant implementation differences and drawbacks to each. A detailed comparison that does the topic justice is beyond a few lines of response, and so I won’t go into detail. Having said that, I think one of the ways to approach this question is to ask yourself how multi-platform you want to be. If you’re on AWS exclusively, and can live with the idiosyncrasies of CloudFormation, I personally wouldn’t choose Terraform in that scenario. If you’re multi-platform (i.e. AWS + Google, or whatever) and you can absorb the additional complexities of that kind of multi-platform solution, Terraform would be a reasonable choice if you wanted to concentrate your development and knowledge efforts around one tool.
[John Martinez] ESP is available for both AWS and Microsoft Azure — and we’re working on GCP support now.
For more from these two thought leaders, you can watch the full Webinar on Demand here. You might enjoy our overview of PCI Compliance, and it will be helpful to understand how to apply continuous monitoring in your cloud environments.
To find out more about how our technology can help you and your team strengthen your Security and Compliance process, visit our website. ESP provides a single pane of glass view of all of your AWS accounts, regions and services in one easy to customize dashboard. By consuming all of Amazon’s APIs, ESP can detect and reveal vulnerabilities and alert your team to configuration changes and policy violation and provide a path to remediation.