Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

s f

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
youremail@yourdomain.com
+88 (0) 101 0000 000
Follow Us

CLOUD. SMARTER.™

Cloud Compliance Management: A Data-Driven Approach to Managing Risks in the Cloud

Risk management is a cyclically executed process that contains a series of co-ordinated actions and tasks that that are meant to oversee and control risks. In a cloud ecosystem, risk management has a much wider definition than traditional IT, you need a ecosystem wide framework for risk management.

There is no doubt that the cloud is a resilient and secure place to run your workloads. Gartner estimates that by 2020, public cloud IaaS workloads will suffer at least 60% fewer security incidents than on-premises.

That’s the good news. The bad news ? Gartner estimates that when they do happen, 95% of breaches are the customer’s fault.

And, they’re getting more expensive. A recent study by IBM shows that the average cost of a mid-sized breach (excluding mega breaches like Equifax or Target) in 2018 increased 6.4% year over yea. It stands at $3.86M globally (and is more than double that for US companies), and the average time to identify a data breach is 196 days.

Security Management In The Cloud Today

In the cloud, you’re implicitly swapping control over the entire stack for increased agility and autonomy.  In return, the cloud service provider gives you fine-grained control over each service in the form of access control, identity management, per-service security configurations, audit trails etc.

The end result is an explosion in the number of security primitives that needs to be managed and monitored, something our current tools and models were not designed for.

The state of the art in cloud security assessment is to benchmark configurations against known best practices and flag violations. In the AWS cloud, Trusted Advisor and AWS Config evaluate your configuration against established norms. These are known as Rules in config and Best Practices in Trusted Advisor.

Risk Management, Not Just Configuration Management

Undoubtedly, managing individual configurations is very important – many security breaches can be tracked down to simple configuration errors or over-permissive policies.

The downside of making benchmarking configurations the cornerstone of your cloud compliance model is that its relatively easy to get lost in the trees of security policy and lose sight of the forest, your overall risk profile and compliance against established industry standards.

Data Driven Risk Quantification

NIST states “To prevent and mitigate any threats, adverse actions, service disruptions, attacks, or compromises, organizations need to quantify their residual risk below the threshold of the acceptable level of risk”. The key word here is quantify.

In our quest to find the right metric to quantify infrastructure risk in the cloud, we evaluated various risk frameworks (including the one proposed by NIST) and found them to be too high-level to be standardized and automated.  We eventually decided on using the Common Vunerability Scoring System (CVSS) methodology as a starting point to calculate an overall risk score for the cloud due to its focus on metrics and scoring.

The CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. Since CVSS wasn’t actually designed with the cloud in mind, we have customized the formulation to include metrics that are relevant for the cloud.

HyperCloud: A Continuous, Automated and Adaptive Approach to Compliance and Security

HyperCloud Analytics provides risk and compliance management framework that is continuous, proactive and adaptive, just like your cloud.

  • Continuous: By constantly evaluating your environment and using a metrics-based approach. HyperCloud Analytics can provide a quantifiable, holistic, real-time view of your risk profile and alert you when risk rises above a specified threshold.
  • Automated: HyperCloud Analytics introduces a number of built-in remediation tools that can automate your response to a majority of your security issues.
  • Adaptive: Risk is highly subjective, HyperCloud Analytics allows you to choose your risk profile by scoring all relevant parameters individually to suit your needs.

And, Don’t Forget Regulatory Requirements

Your risk profile may be subjective, but regulations are black and white. For example, as a healthcare provider you are either HIPPA compliant or you are not. And if you aren’t, then there may be a significant penalty that applies.

In an environment as dynamic and adaptive as the cloud, obtaining and maintaining compliance with regulations can be a moving target. Custom Policies in HyperCloud continuously evaluate your environment for compliance with regulatory policies and can even auto-remediate some of the most common issues to bring you back into compliance.

See It In Action

In our next series of posts we will examine how HyperCloud Analytics leverages a data-driven approach to risk and delivers on our promise of a continuous, automated and adaptive approach to Risk.  We invite you to sign up for a 30-day no-strings-attached trial on AWS marketplace.

Manoj Nair joins HyperGrid from HPE where he was GM and VP of Product Management for Converged Infrastructure. His team was responsible for driving the Product Strategy and Roadmap across all elements of the Converged Portfolio & Infrastructure Management. Prior to HPE, Manoj was SVP leading strategy and R&D for the Public Cloud solutions at EMC. This was an incubation team working across the EMC federation of companies. Previously, Manoj was SVP & GM at RSA – responsible for IAM & Authentication product lines. Previously he led R&D and Product Management for RSA Security Management portfolio. Manoj also led R&D for EMC's internal incubation project, EMC Infoscape, as well as the architecture of the EMC PowerPath product family. Manoj has also held development and research positions at Data General, Novell and US NSF funded Research Labs. He is also the holder of over a dozen patents granted by USPTO in Systems Software, File systems, Information Management and Security. Manoj holds a M.S. in Computer Science from Clemson University. Forbes Technology Council, Official Member 2018

Post a Comment