There is no doubt that public cloud adoption hit a serious inflection point in 2016. We’ve seen Amazon Web Services (News - Alert) report an annual revenue run rate of more than $13 billion, growing at an incredible rate of 55 percent. And Microsoft’s aim to be the first cloud provider to hit $20 billion started looking more like a possibility as it began wooing leading cloud adopters like Adobe to the Microsoft (News - Alert) Azure platform.
In the midst of all this growth and excitement, I’ve noticed a disturbing trend. Daily, I speak to organizations that have moved production workloads over to cloud IaaS providers, but haven’t yet addressed how they will manage, measure, and report on regulatory compliance controls. I think that in the midst of all the concerns over whether or not public clouds were secure, some organizations missed the critical question: Can we demonstrate compliance without killing our team in the process?
It’s not surprising that it has taken an impending PCI (News - Alert) or SOC-2 audit for SecOps and risk and compliance teams to have a reckoning about how they will measure the compliance of their cloud infrastructure. Never before have so many people in an organization had the power to make changes to the infrastructure that could potentially go unchecked. To complicate matters, traditional tools that help with compliance in the data center cannot be used in the API-centric world of the cloud.
Without proper tools designed for the cloud, teams have to deal with tedious, manual processes to produce evidence of compliance controls across the dynamic and fast-changing cloud infrastructure. Sure, can prove that at some point you passed the controls, but what was the situation 24 hours before, or two weeks after? Once-and-done compliance just doesn’t cut it anymore.
With stories of cyber risks, cybercrime, hackers, and breaches topping our news feeds each day, organizations need to be able to demonstrate an ongoing practice of managing security. Just as DevOps teams have adopted continuous delivery and continuous innovation and made it a part of the everyday IT language, continuous security and continuous compliance need to be just as frequent a discussion topic.
The good news is that unlike managing compliance in traditional data centers, modern infrastructure gives us a path to address security and compliance programmatically and automatically. The APIs we now have available enable a whole new era of security automation. Using the APIs, you can access metadata about your infrastructure and continuously monitor and measure whether the changes that take place are introducing new risks into your environment. The introduction of new technologies specifically designed to help streamline and automate the process of security assessment and remediation for the cloud have advanced how organizations manage their security posture and compliance processes.
For DevOps teams, using automation to manage security means that they also can manage compliance throughout the entire development lifecycle, rather than building up a backlog of compliance debt that requires remediation before delivery. The cloud also has allowed DevOps to codify both security and compliance, which helps reduce risk by ensuring that best practices are followed, and changes to infrastructure and the cloud environment adhere to their organization’s security policy.
Automation of compliance also enables teams to streamline the process of documenting and certifying the accounts, services, and workloads in the cloud when the auditors come knocking. This automation can help you create an abstraction layer to protect your operational and development teams from disruption and distraction, which can also have a significant negative impact on your timelines and bottom line. With the right cloud security tools in place, you may even be able to provide auditors read-only access to compliance reports as needed, eliminating the need for team members to be in the middle of those requests.
So, while your senior management may question whether a cloud provider is FISMA-, HIPAA- or PCI-compliant, you need to raise one more issue: How will your organization demonstrate compliance running in one of the public clouds? You need to have an assurance that you will get executive support to add new tools to your arsenal that will help your team manage, assess, and report on security and compliance without stopping innovation and creating detrimental workloads for your development and operations teams.
While I’m excited about the potential innovations that the public cloud presents us all, I can’t help but wonder about the nightmare that 2017 audits will be causing the teams that have yet to address compliance automation for their cloud environments.
Tim Prendergast is CEO for Evident.io.
Edited by Alicia Young