Why Security Compliance Is a Continuous Process, and Not Just a Check in the Box!

Friday, November 18, 2016

Tim Prendergast

74a3faa048e151b7a9b61267399d79e3

In today’s complex world of cybersecurity threats that are ever-changing and ever-evolving, it’s nearly impossible to say you’re 100 percent compliant with all standards at all times — FedRAMP, PCI DSS, SOX-2, HIPAA, etc. With enterprises quickly migrating to the cloud and data storage volumes growing exponentially, it becomes even harder to confidently say you’ve checked the box on compliance these days. It’s up to organizations to measure and demonstrate compliance in their systems and many organizations struggle to do so in the new cloud paradigm.

In addition, most organizations think that passing an annual audit or assessment means they are “in the clear” and don’t have to worry about maintaining their compliance, once they’ve gotten the green light. However, according to Verizon, 80 percent of those that passed their annual PCI assessment drifted out of compliance shortly thereafter. The scale of recent data breaches makes it clear that many organizations’ security measures aren’t slowing attackers down, and continuous compliance and ongoing risk management is needed to protect vulnerable systems and networks from future attacks. Simply putting security controls and standards in place aren’t enough. Compliance needs to be sustained by companies who wish to be prepared for the evolving security breach landscape.

Today’s compliance frameworks are offering more recommendations around a “continuous compliance” process to manage risk. They know that it’s impossible to guarantee compliance at any given point in time, so their best effort is to use continuous monitoring. Continuous monitoring is the only path to continuous compliance and simply put, managing this risk manually isn’t effective or efficient. Adopting a modern cloud infrastructure with automated security and compliance is necessary to protect the large entry point of attack that the cloud creates. Despite the fact that manual interrogation of the cloud is slow and arduous, many organizations also want to increase the frequency of their audits to ensure and demonstrate they are doing their best to remain secure.

Some of the main benefits of continuous compliance in today’s automated cloud security frameworks include:

  1. Real-time compliance and faster remediation - Near real-time situational awareness is achieved by monitoring infrastructure continuously and identifying critical risks as they are introduced. Compliance from the start means monitoring security throughout the entire development lifecycle and avoids expensive changes late in the cycle.  
  2. Ease of use and simpler, faster reporting -  One-button compliance reports document how compliance policies are followed and allows teams to create auto-remediation rules or follow guided remediation steps to resolve issues. User attribution features identify who, when, how and where risks were introduced into the environment. There is no more spending weeks of interrogating systems to manually aggregate a compliance report, which would be out of date by the time you finish. With one click, you can run a report and then export it in the form needed for auditors, saving time and money. Anyone from the team can produce reports without needing specialized knowledge. In fact, providing the auditors read-only access to self-service compliance reports creates a whole new layer of abstraction to protect your operational teams from disruption.
  3. Complete visibility into the cloud ecosystem - These platforms monitor, test and report on all cloud services and provide an actionable view into all testable compliance checks. Stakeholders have an easy way to view, monitor and report on the security and compliance of their entire cloud ecosystem.
  4. Faster remediation - Because monitoring, assessment and remediation of the cloud infrastructure risk are all managed from a single platform in real-time, risks are detected and remediated quickly. No longer are development teams thrown off track when they have to stop projects to address a year’s worth of compliance debt when audit time comes around.

Organizations need to shift their thinking around point-in-time compliance versus continuous compliance. With today’s dynamic computing environment, where there is no network perimeter, automated and continuous compliance is needed to ensure infrastructure is safe at all times. Today’s cloud security frameworks are equipped with complete, real-time compliance assessments for an organization’s entire cloud infrastructure. Reports can be generated in real time, and audits can be completed more frequently. Organizations who adopt modern security and compliance platforms can benefit from financial efficiencies and timeliness, so they can focus attention on other high-value projects.

About the author: Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim previously led technology teams at Adobe, Ingenuity, Ticketmaster and McAfee.

Possibly Related Articles:
22077
General HIPAA PCI DSS
Compliance Situational Awareness Visibility
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.