One of the recurring challenges faced by companies adopting a cloud-native approach is achieving compliance. As organizations move ahead at speed on their digital transformation journey, cloud-native technologies remain key drivers in pursuing the optimization of business processes, culture, and customer experiences. In the face of this transformation, a traditional networking approach is not effective enough to provide complete security to cloud-native applications.
During the recent Cloud Native Security Summit, hosted by Capsule8 with partners Open Raven and Snowflake, Capsule8 Compliance Manager Cynthia Burke moderated a panel addressing some of these concerns. On the panel were Al Faiella, Director of Cyber Security, Unqork; Donal Kerr, Chief Administrative Officer, Securitas; and Sloane Burwell, Senior Security Compliance Analyst, HackerOne.
Among IT professionals, compliance remains one of the most significant recurring challenges faced. A survey conducted by Cloud Security Alliance found that 62% emphasize security and 57% compliance as top challenges, and it’s comparable across all sized companies – from enterprises just starting the transition to cloud and smaller companies jumping right into containers and microservices.
In the session, each panelist discussed some of their biggest pain points in achieving compliance, how to address these and other issues, and best practices for ensuring compliance for a cloud-native environment.
Privacy Regulations and PII in the Cloud
For every company, the compliance challenges faced are different. However, one of the biggest concerns seems to be around data privacy and protecting client data, specifically the difficulties surrounding protecting personally identifiable information (PII). As new privacy legislation is introduced and implemented around the globe, there’s a disconnect over what PII even means and how privacy should be protected. When comparing the US to the EU, for example, there is no meaningful concept of what privacy means and how regulations should protect it.
In the UK, privacy is seen as a civil rights issue, whereas it is often seen as a business issue in the US. The resulting regulations in each country then tend to focus on different aspects of privacy and ways to address it. To ensure they can meet all of these requirements, Sloane and her team at HackerOne focus on the most stringent requirements, including LGPD out of Brazil.
GDPR has been implemented in the EU and is one of the world’s first and most sweeping privacy regulations. The goal of the legislation was to address the concerns over corporations using people’s data to identify, categorize, or market without their consent. However, because of the nature of the EU, there have been varying interpretations of the law, leading to uneven application and enforcement.
One major issue is staffing and not having the resources in place to respond to the large number of ongoing investigations of global companies holding PII in Europe. Each country approaches regulations and fines differently. Spain, for example, has issued a large number of fines relative to other nations, but they target more indiscriminately. The UK has focused on on large violations and, therefore, larger fines. The founders of GDPR have already started to call for revisions of the legislation to address the issues that have developed since its implementation. When the law was envisioned, the data processor and data controller were not different people. It wasn’t assumed that so much of the data would reside in the cloud, making jurisdiction a muddy issue.
Addressing the Variance of Regulatory Requirements
This idea that technology and real-world conditions are outpacing regulatory requirements doesn’t just apply to privacy laws. Whether SOC2, FedRAMP, GDPR, or another set of regulations, the language doesn’t always map to the real world, where many companies are running cloud-native Linux infrastructures.
Regulatory requirements often are very vague or hyper-detailed, which leads to dramatically different approaches to compliance. In the case of vague regulations, Al and his team at Unqork interpret them the best they can within the context of how their systems are implemented. For more specific regulations, they evaluate how to ensure they have the necessary pieces in place in a manner that is both defensible and impactful.
As a result, many companies have to walk a fine line between helping the company address real-world security risks and what will satisfy the regulatory requirements to which they are held. Walking the middle ground is one of their greatest challenges as a result.
HackerOne, Sloane noted, has offices in the Netherlands, Finland, and San Francisco, meaning they are subject to a range of different regulations from some of the heavier regulatory bodies in the world. For them, managing privacy concerns is a central challenge. How do you balance the need for transparency with the need to protect security researchers and professionals who want to remain anonymous for safety reasons, as an example?
There is also a false sense of security that some companies feel when they move to the cloud, assuming they are suddenly compliant because the cloud service providers they work with are compliant on their end. The reality is that beyond the infrastructure, the risks are still present in the cloud.
In the on-premise world, securing data was limited to securing infrastructure within your network perimeter. If there is a breach or exposure in the cloud today, it could be the entire Internet suddenly gaining access to sensitive internal data. This kind of issue happens almost every day with large depositories of private and commercially sensitive data.
Part of addressing this issue is communication. Does a company truly understand the responsibilities they have when they move their data to the cloud, to protect it, and manage permissions and roles to access key pieces of data? At the same time, do the cloud service providers communicate these shared responsibilities effectively? The answer is often no.
Meeting Evolving Security and Compliance Needs
With all of these challenges in mind, how can companies achieve both security and compliance without sacrificing one for the other? How do companies ensure they are security first and but also meeting compliance?
The first step in this process is to ensure your engineering team, DevOps team, and legal team are in lockstep. Everyone fully understands how each regulation is being interpreted and addressed. Once it’s clear what needs to be accomplished, the engineering team can follow through and complete the necessary steps, and space opens up to innovate and be creative in how you address both compliance and security concerns
In the past, compliance was a blocker, grinding projects to a halt and turning everyone against you. Today, it’s vital that security teams act as problem solvers. By decreasing tech debt and friction between departments and becoming a true problem solver, it’s easier to work with other teams in the organization more seamlessly.
You also have to see compliance and privacy as tied to sales enablement. In the past, security and compliance were seen as a cost center. Today, if deals won’t close without security and compliance sign-off, and if privacy hasn’t weighed in, you become a profit center. This can help to facilitate sales. When salespeople reach out to your team to speak with potential clients, you become an integral part of the process and seen as a value add by more sectors of the organization.
Many global organizations, particularly those in the EU, need hybrid professionals who are both technical and understand policy and regulations, especially in a cloud-native world. For example, new AWS accounts are placed in the US Eastern Region, in Virginia, by default. Not understanding regulatory needs and updating default configurations has led to many EU companies storing their data outside the EU without realizing it. The key here is to use technology and tools to map security and compliance controls based on your organization’s business risks.
What to Expect from Compliance in 2021
So what’s next? What will be the hot topic of discussion in compliance for 2021?
Donal sees 2021 as being focused firmly on increased enforcement of GDPR in the EU, potentially leading to greater fragmentation if enforcement continues not to happen at the EU-wide level. A big part of this is the lack of prescriptive text on how to address the requirements laid out in GDPR, something that has been missing thus far.
Sloane focuses on the continued impact of COVID, specifically how companies will manage things like return-to-work, vaccination requirements, and the enforcement of HIPAA in situations where companies don’t want non-vaccinated employees in the workplace. Her big question is about what workplace privacy ultimately looks like in a post-COVID world.
Al emphasizes cloud misconfiguration as a major focus in 2021, especially as it is force multiplied by the increased use of automation and infrastructure code. With technology moving so quickly, the work done last year may already be stale. As people continue to rely more and more on automation, it’s important that we simultaneously build, deploy, update, and thoughtfully maintain infrastructure in light of compliance concerns.
If you’d like to watch this panel session in its entirety, you can do so here.
If you have additional questions about compliance in a cloud-native world, you can set up a quick conversation with Capsule8’s compliance experts to discuss your challenges and see how we can help – Request a Meeting