Cloud Compliance Management: A Data-Driven Approach to Managing Risks in the Cloud
Risk management is a cyclically executed process that contains a series of co-ordinated actions and tasks that that are meant to oversee and control risks. In a cloud ecosystem, risk management has a much wider definition than traditional IT, you need a ecosystem wide framework for risk management.
There is no doubt that the cloud is a resilient and secure place to run your workloads. Gartner estimates that by 2020, public cloud IaaS workloads will suffer at least 60% fewer security incidents than on-premises.
That’s the good news. The bad news ? Gartner estimates that when they do happen, 95% of breaches are the customer’s fault.
And, they’re getting more expensive. A recent study by IBM shows that the average cost of a mid-sized breach (excluding mega breaches like Equifax or Target) in 2018 increased 6.4% year over yea. It stands at $3.86M globally (and is more than double that for US companies), and the average time to identify a data breach is 196 days.
Security Management In The Cloud Today
In the cloud, you’re implicitly swapping control over the entire stack for increased agility and autonomy. In return, the cloud service provider gives you fine-grained control over each service in the form of access control, identity management, per-service security configurations, audit trails etc.
The end result is an explosion in the number of security primitives that needs to be managed and monitored, something our current tools and models were not designed for.
The state of the art in cloud security assessment is to benchmark configurations against known best practices and flag violations. In the AWS cloud, Trusted Advisor and AWS Config evaluate your configuration against established norms. These are known as Rules in config and Best Practices in Trusted Advisor.
Risk Management, Not Just Configuration Management
Undoubtedly, managing individual configurations is very important – many security breaches can be tracked down to simple configuration errors or over-permissive policies.
The downside of making benchmarking configurations the cornerstone of your cloud compliance model is that its relatively easy to get lost in the trees of security policy and lose sight of the forest, your overall risk profile and compliance against established industry standards.
Data Driven Risk Quantification
NIST states “To prevent and mitigate any threats, adverse actions, service disruptions, attacks, or compromises, organizations need to quantify their residual risk below the threshold of the acceptable level of risk”. The key word here is quantify.
In our quest to find the right metric to quantify infrastructure risk in the cloud, we evaluated various risk frameworks (including the one proposed by NIST) and found them to be too high-level to be standardized and automated. We eventually decided on using the Common Vunerability Scoring System (CVSS) methodology as a starting point to calculate an overall risk score for the cloud due to its focus on metrics and scoring.
The CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. Since CVSS wasn’t actually designed with the cloud in mind, we have customized the formulation to include metrics that are relevant for the cloud.
HyperCloud: A Continuous, Automated and Adaptive Approach to Compliance and Security
HyperCloud Analytics provides risk and compliance management framework that is continuous, proactive and adaptive, just like your cloud.
- Continuous: By constantly evaluating your environment and using a metrics-based approach. HyperCloud Analytics can provide a quantifiable, holistic, real-time view of your risk profile and alert you when risk rises above a specified threshold.
- Automated: HyperCloud Analytics introduces a number of built-in remediation tools that can automate your response to a majority of your security issues.
- Adaptive: Risk is highly subjective, HyperCloud Analytics allows you to choose your risk profile by scoring all relevant parameters individually to suit your needs.
And, Don’t Forget Regulatory Requirements
Your risk profile may be subjective, but regulations are black and white. For example, as a healthcare provider you are either HIPPA compliant or you are not. And if you aren’t, then there may be a significant penalty that applies.
In an environment as dynamic and adaptive as the cloud, obtaining and maintaining compliance with regulations can be a moving target. Custom Policies in HyperCloud continuously evaluate your environment for compliance with regulatory policies and can even auto-remediate some of the most common issues to bring you back into compliance.
See It In Action
In our next series of posts we will examine how HyperCloud Analytics leverages a data-driven approach to risk and delivers on our promise of a continuous, automated and adaptive approach to Risk. We invite you to sign up for a 30-day no-strings-attached trial on AWS marketplace.