A growing challenge for development and security operation teams (DevSecOps) as they move workloads to cloud infrastructures is how to ensure that functions in the cloud adhere to their agency’s compliance and security policies. Cloud infrastructures are flexible and offer opportunities for settings to be changed or misconfigured, opening more access points for data breaches, system downtime, and costly compliant violations.
As enterprises and government agencies migrate to the cloud, there is no clear network perimeter as there might have been for workloads in traditional data centers. “That is largely because when you go to the cloud everything is software-defined,” said Phillip Merrick, CEO of Fugue, a developer of security and compliance software. “Everything that was physical hardware in the datacenter, you don’t have anymore. It is all defined by software through APIs [application programming interfaces] or infrastructure as code. It’s really important that you get it right,” he said.
Agencies should have a comprehensive set of security polices for operating in the cloud, such as all data at rest must be encrypted, and there should be no open ports on virtual machines. Organizations might have strong security policies, but the IT teams that are deploying that infrastructure in the cloud might not be aware of all the policies, and through ignorance might not properly configure settings from the start.
Secondly, cloud infrastructures provide ways for administrators to make changes either through consoles, APIs, or commands, which can throw an agency out of compliance with security polices and mandates, Merrick noted. For example, an administrator might inadvertently open an Amazon Simple Storage Service (Amazon S3) data bucket giving global access to unauthorized personnel.
Organizations need a way to quickly and automatically correct these types of errors, especially as more agencies and enterprises are adopting hybrid and multiple cloud strategies, experts say.
According to a 451 Research study, organizations are struggling with the twin challenges of security and compliance in the hybrid cloud space. “Organizations want to be able to replicate existing security, governance and compliance audit practices in hybrid cloud environments, where at least some of the cloud infrastructure belongs to third parties. Organizations are struggling with practical considerations in this regard, such as ensuring that workloads are moved securely from one environment to another, without having the data maliciously or inadvertently exposed,” according to the report Critical Security and Compliance Considerations for Hybrid Cloud Deployments, which was sponsored by Hewlett Packard.
Government agencies need centralized visibility and control across DevSecOps teams to avoid policy violations and misconfigurations in the cloud, according to Merrick.
To achieve a state of continuous compliance, agencies must leverage the appropriate tools to effectively monitor and manage cloud security risks and threats.