My first compliance project was in 2012, it was a PCI DSS complaint cloud for an e-learning platform. The requirement was quite straightforward: build a dmz/private infra for a public facing service. AWS, the only cloud that time, had just launched its VPC & security group services, and had an api. So it was chosen as the hosting provider. There was no IaC(Infra-As-Code) or CM(Config Management) tool. So automation was done by a simple shell script called AWS apis.
Over the years I have been involved in building compliance ready clouds for various startups and enterprises. From servers to serverless , modern infrastructure has taken different shapes and forms and so did various compliances. However one that has always enabled and accelerated the delivery of such infrastructure is automation.
Be it PCI/DSS for e-learning or SOC2 for a recruitment service, ISO/IEC for Fintech or OJK for Indonesian Banks, building compliance as code has helped deliver such critical projects in record time while satisfying all the benchmarks required by auditors.
Most global Compliances be it PCI, PII & PHI are derived from 5 key trust principles:
Security: The system is protected, both logically and physically, against unauthorised access.
Availability: The system is available for operation and use as committed or agreed to.
Processing Integrity: The completeness, accuracy, validity, timeliness, and authorisation of system processing.
Confidentiality: The system’s ability to protect the information designated as confidential, as committed or agreed.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice.
Cloud platforms do not guarantee your IP(Intellectual Property) security, your security configurations and policies will. Attacks like DDoS, brute force etc are inevitable on the internet. It can bring down an entire business without even entering your perimeter.
For instance, The AWS Audit manager provides 200+ config rules that must be mapped to respective compliance framework controls. However you will need to review and update the evidence as per your organization’s compliance needs. And this need will keep upgrading as the Compliance Regulators update their benchmarks.
One such example is the growing use of AI in online products & services. With so much PII data being collected and processed every second, governments have already started looking into regulations. So compliance is an ever evolving paradigm and we need to keep in pace with that for both security and sustainability of business.
Regular security testing, auditing, penetration testing, vulnerability scanning must be enabled for all infrastructure resources. Version-Controlled Security as Code to make it auditable and traceable. This approach permits portability across cloud providers, as well as tenant-specific customisation and review.
These security policies must be enforced in the code as a first-class member of their infrastructure creation making it a default feature in every stage of the application lifecycle.
The configurations must be catered to in the form of Infra as Code and version controlled to ensure every configuration change is auditable and traceable.
Such that each time an environment is spun up for applications or IT operations, these principles come by default making it easy for Compliance in cloud computing related activities.
Security settings should no longer be mysterious or to be feared. Thanks to automation, the impact of configuration changes can be ascertained quickly. This approach also permits portability across cloud providers, as well as tenant-specific customisation and review.
The 10factorinfra is a compilation of all these tried and tested methodologies, design patterns & best practices that I have learnt and implemented all these years in building secure, scalable & sustainable modern infrastructure for startups & enterprises.
The Challenges:
However, implementing Compliance as Code comes with its own set of challenges. These include :
Automation of infra components
Application compatibility
Portability across cloud platforms
Continuous Integration and delivery of security as code
Testing the policies on infrastructure and application.
To address these challenges, organisations can adopt the following principles which are guided by some of the most adopted industry standards such as CIS benchmarks, AWS Security & Operations Best practices:
Identity and Access Management: RBAC for accounts, web-console, and APIs
Perimeter Security: Securing Network, Systems, and Services
System Security: Hardening, Patching, Vulnerability Scanning for operating system and platforms
Data Security: Protecting and securing database systems and platforms for data at rest and data in transit.
Application Security: Security Testing, Auditing, penetration testing of application
Release Management: Processes for Prod-deployment, Risk & Mitigation Factors(RMF), Security Review
Logging and Auditing: Server, appliance and system logs, API and console logs, database logs
Reporting: Alerting and Notification
Availability: Guidelines for Recovery Time Objective/Recovery Point Objective (RTO/RPO)
Disaster Recovery: Guidelines for DR and rollback, backups
These factors must be catered to in the form of Infra as Code and are version controlled making every configuration change auditable and traceable. Every time an environment is spun up for applications or IT operations, these principles are enforced making it easy for the client to begin their Compliance related activities.
Summary: Compliance In Cloud Computing
The outcome of implementing Compliance as Code is significant. Security policies become an integral part of the infrastructure creation process, embedded as a first-class member in every stage of the application lifecycle.
The version-controlled Security as Code not only makes it auditable and traceable but also demystifies security settings. Automation enables organisations to quickly ascertain the impact of configuration changes, transforming security into a transparent and manageable aspect of their operations.
Moreover, the Compliance as Code approach allows for portability across cloud providers and enables tenant-specific customisation and review. This ensures that organisations can seamlessly transition between cloud platforms without compromising on security standards.
Overall, Compliance as Code empowers organisations to embrace security measures seamlessly, making it an inherent and default feature throughout their entire IT landscape.
Your objective must be to design and implement a security policy for cloud infrastructure based on industry-accepted norms to get them ready for third party information security audit.
If you like this article, I am sure you will find 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments