How Legacy Compliance Strategies Fail Cloud Native and How to Fix Them
In 2019, it sounds almost trite to say cloud native applications are upending traditional assumptions of security and compliance — but that doesn’t make the assertion any less true. According to a survey conducted by the Cloud Security Alliance (CSA) of over 700 IT professionals, security (62%) and compliance (57%) challenges rank among the top obstacles to cloud native adoption.
This applies equally for large enterprises making the gradual transition from hybrid cloud to full cloud native, as it does for small-to-medium-sized companies deploying containers and microservices right out of the gate.
At first glance, the benefits of cloud native are clear: cloud native architectures are more resilient, can accommodate distributed data and dynamic endpoints and are, generally speaking, more cost-effective (when deployed correctly).
However, these benefits have been partially offset by the following challenges:
- Cloud native visibility and control remains the major pain point for most enterprises;
- Data decentralization in cloud native increases the potential for security vulnerabilities;
- The shifting regulatory landscape increases the cost of compliance;
- Increased incidences of cloud configuration mistakes causing unexpected outages;
- Lack of industry frameworks available on how to achieve cloud native compliance.
Cloud native adoption has ushered in “a new paradigm” for enterprises. This paradigm calls for a new playbook on the way organizations approach compliance we outline in this post.
Where Legacy Compliance Tools Fall Short
Prior to cloud native, the traditional approach to compliance-focused on remediation-centric tools to satisfy compliance requirements, with the objective of achieving a “best of breed” maturity in each siloed function.
This approach was — almost by definition — reactive to the prevailing trends of the moment. It often involved piecemeal deployments of a variety of tools, in order to “check the box” on a compliance checklist (e.g. companies maintaining disparate tools for scanning, data classification, IDS/IPS, DLP and access control monitoring).
In cloud native environments, this legacy approach falls short in a number of ways:
- Adding more tools can be costly and difficult to scale with cloud.
- More tools lead to:
- alert fatigue, and
- a steep learning curve due to lack of integration with existing tools.
- These tools often aren’t container-aware at runtime, and may not be able to operate at the scale of containers or manage at the rate of change.
All of which has the potential to make cloud native infrastructures more cumbersome and less secure.
A Traditional Compliance Approach May Cost More
As cloud native and containers become more than just buzzwords, regulators are slowly catching up. Over the past decade, we’ve seen a steady shift away from “regulate and forget” to iterative compliance standards. We’re also seeing more collaboration among regulators, particularly between the U.S. and the EU.
In 2018, key regulatory implementation dates hit with large fines for non-compliance:
- Early Jan 2018: Financial instruments directive comes into effect;
- Mid Jan 2018: Revised payment services directive comes into effect;
- May 2018: General Data Protection Regulation (GDPR) comes into effect.
By 2019, fines for regulatory failures in financial tech amounted to billions, while fines for tech brands such as Facebook, Google and Uber were typically measured in tens of millions of dollars.
As the new regulatory landscape shifts away from one-size-fits-all regulation to a more data-driven, segmented approach, enterprises need to update their compliance strategies to not only avoid costly monetary penalties but also wasted time from having to learn new tools — only to find themselves chasing a moving target.
The Cloud Native Compliance Playbook: A Three-Step Approach
Building a secure and compliant cloud native enterprise follows a three-step approach:
1. Organize: practice good hygiene by properly indexing and grouping cloud workloads
In the case of containers and microservices, this could include:
- Managing base container images by scanning for vulnerabilities at build;
- Keeping images patched and updated as threats are uncovered;
- Leveraging container registry vulnerability scanning to monitor for assets managed by public cloud providers;
- Using a container-specific minimal host OS to run containers with appropriate hardening.
2. Integrate: take every opportunity to “bake in” compliance into cloud native architecture
- Focusing on configurable, policy-based scanning that prioritizes compliance concerns;
- When evaluating new tools, ensure that they integrate with existing ones to reduce the learning curve;
- Building compliance attestation into cloud assets based on product/regulatory; requirements (e.g. have a workflow that will be working with protected health info? Start by building a HIPAA-compliant base image).
3. Collaborate: leverage in-house SMEs to get teams talking
- Combining expertise between compliance and security in order to automate workflows, system tools, and bubble critical system events to the surface rapidly;
- Educating teams on container-specific vulnerability management tools.
Finally, in addition to the three steps outlined above, it’s important to constantly retune your enterprise compliance strategy according to the shifts in the security and regulatory landscape. In cloud native infrastructures, it’s prudent to never take an either/or approach to tools and solutions for compliance and security. Take the opportunity to review organizational structures, processes, tools and compliance measures and iterate accordingly.