Stakeholders in all industries have a growing demand for increased business agility and cost reductions in relation to their IT infrastructure and applications. Many of these executives and officers have focused on migrating to the cloud as part of their strategy to reach these goals.
In general, these migrations by organizations follow either a hybrid or multicloud strategy. Hybrid cloud is defined as a combination of cloud services that are deployed both on-premises and in the cloud. Multicloud means using multiple cloud computing service providers across a single heterogeneous environment for applications, software or infrastructure.
While hybrid cloud and multicloud usage have increased for businesses, so have challenges to maintain compliance with various regulations and cloud security requirements. The following figures from an IBM Institute for Business Value survey of 1,106 business and technology executives reflect the situation:
85%
Organizations are already operating multicloud environments.
98%
Organizations plan to use multiple hybrid clouds by 2021 — however, only...
41%
Organizations have a multicloud management strategy in place.1
As stakeholders of enterprises place more of their services in hybrid multicloud environments, and developers directly access more infrastructure and platform services, the following questions emerge in their wake:
“How securely are we using these cloud services?”
“Is our configuration of our cloud services presenting us with excessive risk?”
“How well do our cloud services comply with industry and local regulations?”
These questions about consistency, security and compliance with cloud infrastructure become more complex to answer as more organizations adopt a multicloud or hybrid cloud strategy. Many stakeholders find that coming up with the appropriate strategy to match their current and future cloud usage is challenging to address.
The rapid adoption of hybrid cloud and multicloud services, along with an increasing number of cloud infrastructure and platform services, has created an explosion in complexity and concerns about cloud compliance. Cloud compliance is driven by regulatory or supervisory agencies and doesn’t directly link with threat. The stakeholders are finding difficult to meet cloud compliance due to these factors:
Lack of internal consensus about how cloud compliance should be handled — Some stakeholders have difficulty understanding the nature of cloud and why meeting regulatory requirements in the environment isn’t the same as with on premises. Building a strong cloud compliance strategy should include open communications and buy-in from all internal stakeholders.
Lack of visibility and decentralized governance across public multicloud — The inability to maintain a real-time cloud asset inventory leads to an increased likelihood of undetected misconfigurations. As a result, communicating risk consistently to management and board members isn’t possible.
Complexity of maintaining continuous compliance posture in the cloud — Rapid provisioning of cloud services by multiple teams across the enterprise increases the complexity of compliance management against industry standards, making evidence collection and visualization challenging.
Inability to get real-time, accurate and actionable insights to detect and respond to threats — Traditional approaches don’t provide cloud context and correlation and are unable to adapt to the speed of change in the public cloud. These omissions increase resource fatigue and may result in extensive delays in investigating alerts and remediating risky configurations.
Indeed, different views among stakeholders often complicate matters in dealing with cloud compliance.
CIOs
More optimistic than other stakeholders about moving to cloud
CISOs
Need to understand security settings in cloud and how to minimize the attack surface
Developers
Want more visibility into cloud than other stakeholders
Other stakeholders view achieving cloud compliance as a goal that is too complex and costly. A survey of these executives and officers expect their compliance budgets to rise by implementing cloud compliance. At the same time, a majority expect their compliance teams to stay the same size. More firm leaders also expect the personal liability of compliance professionals to increase breaches.2
Cloud compliance and shared responsibility
Part of the confusion shareholders often have regarding cloud compliance is the mistaken belief that cloud service providers (CSPs) provide all the security their organizations need. The reality is that multiple security-related issues for cloud are the responsibility of the client, including compliance.
For public cloud, a shared security responsibility exists between the customer and the CSP. Irrespective of the security or technology layer managed between the two, the customer is ultimately responsible to ensure and demonstrate compliance to the regulators and the auditors.
The fear of breaches
When asked why they prefer to use data centers on-premises instead of take advantage of what cloud offers, stakeholders usually cite breaches as a main reason. Executives and officers hear stories such as the 2019 breach of Capital One, where a hacker gained access to more than 100 million of the company’s credit card applications and accounts. A hacker took advantage of a cloud security misconfiguration as a key step for the successful attack.
That breach actually displayed human error as the problem and not the cloud security. Due to the features of the cloud — specifically rapid provisioning and decentralized governance — human error, omissions or both can occur.
As one observer noted, “The cloud itself is far more secure than any data center. However, we have to think differently about security in the cloud versus the way we have thought about security in the data center.” To that end, the author wrote that executives need to ask the following questions about their cloud security posture based on this breach:
“What are we doing to prevent cloud misconfigurations from happening in the first place?”
“Do we have policy-based guardrails in place to prevent misconfigurations and policy violations from being introduced into our cloud environments?” Unlike security for a data center, cloud security requires continuous scanning get visibility into the cloud estate and monitor against the guiderails to address baseline drift.
Another author made the following recommendations for enterprises to employ in the wake of the Capital One breach:
Ruthlessly clean up unused cloud resources (especially servers and S3 buckets) left over from prior development or production debugging efforts.
Include cloud infrastructure misconfiguration in your penetration testing efforts. Use outside penetration testers and make sure they are knowledgeable about how to find and exploit cloud misconfigurations.3
The impact of cloud misconfiguration
A report from Gartner stresses “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.”
Cloud misconfiguration is already the top cause of cloud-based data breaches, according to a survey. The incidents included the following circumstances by percentage:
99%
Number of cloud security failures that Gartner estimates will be the customer’s fault through 2023.4
52%
Unauthorized access to instances or databases
39%
System downtime events
34%
Compliance violation events
32%
Object storage
Cloud misconfiguration include the following causes:
Lack of awareness
Lack of controls
Too many application programming interfaces (APIs)
Negligent insider behavior
Due to the sheer volume and nature of the cloud, a traditional human-centric approach can’t detect and remediate all misconfiguration. Training and awareness including control guiderails will help reduce the omissions.
It can cost more than 50 hours a week for teams to manage the problem in nearly half of enterprises surveyed. Automated detection and remediation are the best way to address cloud configuration challenges.5
A survey of stakeholders found that they expect more regulatory activity in the cloud, including the following top three drivers for the expected increase:
Information requests from regulators
The need to understand changing regulatory expectations
More onerous regulatory and reporting requirements6
Companies face different regulatory obligations in various geographies. Multinational organizations must map regulatory obligations to many different countries and jurisdictions across the globe.
One regulation is the European Union (EU) General Data Protection Regulation (GDPR). The GDPR states that information that reveals a person’s racial or ethnic origin is considered sensitive and could be subject to specific processing conditions. These requirements even apply to companies located in other regions of the world that hold and access the personal data of EU residents.
Additionally, CSPs often provide different levels of control in the cloud than in the data center. This situation adds to regulatory challenges.
The main industries that are seeing an increased focus, volume and complexity of regulations are banking and financial services. In these sectors, many leaders are pursuing innovative business strategies that drive requirements for critical infrastructure and applications to the cloud.
Financial institutions must confront the reality of dramatically increasing costs while also keeping pace with the legislative and regulatory changes arising from numerous regulatory bodies. Global organizations have the added burden of even more international and nation-specific regulations.
Noncompliance has costs. Regulatory violations involving data protection, privacy and disaster recovery can have severe and unintended consequences. Financial penalties and even criminal sanctions can be imposed following a breach.
The cost of compliance is often high, but any effort to reduce staff without demonstrable and measurable improvements in compliance processes and technology could be viewed negatively by regulatory bodies, investors and shareholders. Therefore, security and risk management leaders should invest in cloud security posture management processes and tools to proactively and reactively identify and remediate these risks.7
Providers of a strong cloud security strategy can offer you more than just the cloud risk and compliance maturity assessment and framework. You can extend the services to build the cloud policies in line with the regulatory compliance and security requirements. These changes include layered secured controls across your infrastructure and network and provision the right technology solutions for continuous detection and response.
The activities that need to be considered to meet regulatory compliance requirements include the following:
Assessing your risk and quantifying that risk in financial terms to understand business impact of non-compliance
Identifying the compliance standard or framework meeting the need of the organization requirements
Maintaining a unified source or framework of governance, risk and compliance information for how cloud services are utilized
Building and deploying continuous monitoring of people, process and technology controls to meet cloud compliance requirements. This should also include corporate governance, cybersecurity and regulatory compliance controls
Developing executive and operational dashboards to provide visibility into cloud compliance statuses
Implementing real-time alerting mechanisms for control failures with defined playbooks on how to respond to compliance failures from third-party providers
Ensuring that you can continuously synchronize new cloud services and capabilities with regulatory compliance requirements
Having a security control center that enables clients to define compliance profiles, manage controls and, in continuous real time, monitor compliance across their organization
While these considerations are important, you also should understand the basic processes to get a better idea of how cloud compliance can work for you, including security posture management.
The importance of security posture management
The accelerated adoption of cloud services, along with a high level of automation and user self-service in public cloud, has magnified the importance of organizations having correct cloud configuration and compliance. Ensuring a secure and compliant cloud environment for your enterprise includes gaining an operational visibility of cloud assets. You want to continuously monitor, automate and enforce security policies in alignment with compliance mandates and be able to detect baseline drift and remediate rapidly to reduce risk. A security posture management platform also can continuously assess the security and compliance posture of your cloud resources.
Having a platform for security posture management helps your enterprise achieve the following tasks:
Improve security operations by obtaining visibility into their cloud assets and activity across multiple cloud accounts and providers
Prevent possible breaches by quickly responding to configuration drift and automatically correcting high-risk exposures
Support compliance through alignment and reporting against regulatory requirements
Identify threats and accelerate investigations through behavior analytics, data flow and vulnerability data analysis
When the assessment process is in place, your organization can achieve the following goals:
Gain visibility of your assets
Choose the right compliance framework
Evaluate exclusions, tailoring and more
Perform continuous assessment and integrate to existing security practices
Automate policy builds, remediations and reporting
Perform continuous investigation and audit to reduce attack surface
Additionally, a security posture management platform allows you to reduce risk and response time through automated remediation and flexible notifications and support cloud investigations. Using your native APIs, a security posture management platform can integrate with your cloud accounts to handle cloud compliance and related services.
With a security posture management platform, cloud compliance solution providers ingest configuration and log data from the CSP and provides alerts on any compliance misconfigurations. Those providers can send out resolve alerts for investigations. Your security teams or a managed service provider can triage those alerts, provide investigation and update applicable configurations.
Managed service providers can also respond to compliance notices with changes in policy and compliance alignment along with investigation support. Policy-based and machine learning-assisted analysis can help secure the public cloud estate, address baseline drift and automate evidence collection and reporting.
A security posture management platform includes the following other key features:
Asset discovery and identification
Cloud threat detection
Cloud compliance and governance
Continuous configuration recording
Security operations enablement
The IBM value difference
IBM® can help you establish your cloud compliance strategy, including covering the following areas:
Cloud security strategy
Cyber risk quantification for cloud
Managed services for regulatory compliance
Multicloud security risk and compliance
Cloud security posture management
By defining the right security and compliance policies and designing and deploying the right security posture management solution for your organization, IBM can help provide a secure and compliant multicloud infrastructure.
IBM offers several approaches for cloud solutions, including the following:
Advisory solutions for all major cloud providers
Managed services for all major cloud providers
IBM Cloud® solution — with compliance and trust certifications designed with secure engineering practices, the IBM Cloud platform features layered security controls across network and infrastructure
Integrating with our entire security portfolio
Our managed services solution helps answer challenges with continuous compliance to meet requirements for workloads running on public clouds. The compliance covers not only for regulations impacting the cloud, but also for the GDPR, the Financial Industry Regulatory Authority (FINRA), the U.S. Securities and Exchange Commission (SEC) and other regulatory bodies.
We also feature continuous compliance and automation and cognitive computing. IBM is committed to building the industry’s most secure and open public cloud for business.
To address the critical needs of financial services clients, IBM has IBM Cloud for Financial Services, which offers the following advantages:
Specific features for security, compliance and resiliency that financial institutions require
Banks can confidently host their mission-critical applications in the cloud and transact quickly and efficiently
Uses an ecosystem of multiple banks and more than 30 independent software vendor (ISV) partners
IBM continues to invest in the security capabilities of its public cloud having previously announced new services that further its focus as the leading secure and open public cloud for business. As part of this, we introduced the industry’s strongest commercially available cryptographic technology for the cloud called “Keep Your Own Key.” This gives enterprises the ability to retain control of their own encryption keys — and the hardware security modules that protect them — so customers are the only ones who can control access to their data.
All of these services are designed to mesh seamlessly with the IBM Security™ portfolio, which provides an integrated suite of advanced enterprise security products, services and intelligence to help organizations holistically protect their infrastructures, data and applications against all manner of physical and cyber threats.
IBM operates one of the world’s broadest security research, development and delivery organizations and monitors billions of security events each day in more than 130 countries.