Our work, both with clients and with tools, has lead us to wonder how it is that organizations are handling compliance issues in the cloud. The big cloud vendors offer compliance for their infrastructure, but the shared responsibility model requires that you take certain steps to meet compliance requirements.
Which lead us to start poking around a little more. We wanted to get a picture of what was available, and how it was being used. There is a lot of fluidity in this space, as in all things cloud. The fact that DevOps Security plays into the cloud compliance model – particularly in dynamic cloud environments – makes it even more fluid.
We’ve found the following options are the ones most frequently being pursued in cloud deployments for industries that need to meet compliance requirements.
Not in the Cloud
This is the default, and a lot of companies are following it. That is not to say they don’t use the cloud, but that anything that falls under compliance requirements is not moved to the cloud. In its simplest form, only static web sites are moved out to the cloud, or only SaaS, where compliance burdens fall more heavily on the provider are moved out of the datacenter.
All of the major vendors have guidelines to compliance for the customers’ part of the shared responsibility model. Since AWS is the largest cloud provider, we’ll link to their section. This requires manual effort and maintenance of scripts, but allows compliance to closely match inside-the-DC compliance. This is arguably the most often followed model.
There is a healthy consulting business around compliance in the cloud, and a fair number of organizations are using it. By asking someone whose specialty is the nexus of compliance and cloud, the organization gets the results required without burning up a ton of man-hours internally. This too is a popular option, and should your organization go in that direction, there are plenty of resources to help find the consultant/service that best suits a given scenario.
There is a growing collection of tools available to help ease the transition to Cloud based compliance. They range from tools that aim to lock down the application itself to tools that run through cloud vendor settings and validate that the clients’ share of infrastructure configuration is compliant.
Due to the rate of change that both agile and DevOps introduce, we see this type of automation as the direction of the future, but it is too early to say how soon in the future. The simple fact is that Security and Compliance teams were already overburdened, and automation is the only thing that will allow them to stay ahead of the curve. The question is how fast the tools can both mature and engender trust amongst those responsible for corporate compliance.
In the End, it is about the Org
The answer is different for each organization, sometimes even for each application portfolio or even application. We’re just listing the most common paths teams take, so if you’re looking for more options than whatever is currently happening, you have a place to start. There is a decent amount written about each of these options, so researching the one that suits you should not be a problem.