Related articles in the Compliance for DevOps Teams series:
- How DevOps Teams can meet NIST compliance standards with automation
- How DevOps Teams can meet HIPAA compliance standards
Businesses must be in compliance with laws, regulations, and standards to ensure that consumers can have confidence that their products, systems, and services are safe, reliable, and of good quality. In this era of digital transformation, more businesses are relying on the cloud than ever before. While working in the cloud is advantageous to businesses, the associated risks and vulnerabilities require a greater focus on meeting compliance to avoid financial risks and losing customers’ trust.
It is necessary to continuously monitor and review every system within a network, but this can be a lot of work. A business could have thousands to tens of thousands of servers, especially within a virtualised cloud environment. With that number of servers, it is not humanly possible to manually monitor and review systems successfully, meaning staying compliant could slip through the cracks.
With much at stake, companies are thinking about how to meet compliance like NIST, GDPR, HIPAA, ISO and while all this may seem like another language to you, the need for compliance impacts you too.
This article explores how you can integrate security your organisation needs to meet compliance without stopping your sprint to deployment.
The chain of compliance
You’ve read a lot about your responsibility in meeting compliance requirements, but what about the rest of the organisation? Meeting compliance is ultimately a team effort. Here’s how everyone else contributes:
- CISOs: The process begins with their commitment to compliance. Without their support, it’s nearly impossible. This is because they manage allocating the budget and staff needed toward this project. Their commitment is reflected in the corporate strategy. Once they’re on board, the work starts: people are hired/trained, processes are designed and implemented, and the necessary technology is purchased and configured.
- Security Manager/SecOps: Due to the virtualisation technology in data centres and within cloud providers, the number of serves, routers, and switches has dramatically increased from traditional physical data centres. Security managers/SecOps must be committed to meeting compliance as well, since they are responsible for detecting, investigating, and responding to security alerts, as well as staying up to date on the ever-changing threat landscape.
- DevOps: This is where you come into play. You are responsible for building, deploying and running applications that meet the business needs (in this case, compliance), and reconfiguring them over time as those needs change. Good thing we have tools for that… More on that, later.
Why it matters to you
It’s your responsibility to develop applications that can meet the needs of your business. But in the case of compliance, this is easier said than done considering that integrating security into your development pipeline can be tricky considering its ever-changing nature.
Misconfigurations are the primary cause of cloud security issues. This matters to you because whenever a misconfiguration occurs, you have to retroactively build out new configurations to improve security—another time-consuming task. Default configurations from the cloud providers that need to be altered to meet security and compliance needs, as well as changing configurations or misconfigurations from human errors, all autumn back in your lap because you have to fix the impacted application.
So, how can you address these issues during the development phase? One word: automation.
Automate and accelerate your audits with Trend Micro Cloud One™ – Conformity
Automating security audits allows you to work at lightning speed while meeting business’ compliance needs—a dream come true, right? Conformity enables you to do just that thanks to:
- Seamless integration into your CI/CD pipeline due to powerful APIs.
- Infrastructure as a code (IaC) ensures only the most secure and compliant templates are deployed.
- Real-time monitoring of your Amazon Web Services (AWS) and Microsoft Azure™ environments with a single, multi-cloud environment.
- Continuous scans against hundreds of industry best practice cheques, including all the ones your business cares about: SOC2, ISO 27001, NIST, CIS, GDPR, PCI DSS, HIPAA, and more.
- Standardised and custom reports auditing your infrastructure with an endless combination of filters.
- Connects to preferred third-party providers such as Slack, Jira, Zendesk, PagerDuty, Microsoft Teams, and more.
- Complimentary Knowledge Base auto-cheques against over 750 infrastructure configuration best practices across over 85 services from AWS and Azure.
Want to see how automated compliance security can help you build better and faster while making everyone at work happy? Start your free trial of Conformity today.
Why compliance matters
Compliance may not be the most fascinating subject in the world but understanding what it is and why it’s important to companies can help close the gap between DevOps, SecOps, and CISOs, which ultimately allows you to build with more confidence.
Here’s a quick breakdown with examples so you can become a compliance whizz:
Compliance laws:
- Example: European Union’s General Data Protection Regulation (GDPR) and its associated country specific laws.
- What is requires: The protection of personal data, commonly referred to as personally identifiable information (PII) such as your name, address, and phone number.
Compliance regulations:
- Example: Health Information Portability and Accountability Act (HIPAA)
- What it requires: Protection of health information, commonly referred to as protected health information (PHI). PHI includes doctor visit notes, x-rays, blood work results, and so on.
- Example: Payment Card Industry Data Security Standard (PCI-DSS)
- What it requires: Protection of credit card numbers and their associated data like the three-digit code on the back of your card, its expiration date, and so on.
Compliance standards:
- Example: International Standards Organisation (ISO)/International Electrotechnical Committee (IEC) 27000-series, known as the ISO27K for short.
- What it is: Series of documents that provides best practice recommendations on information security management—from physical network to network security.
- Breakdown of applicable documents:
- ISO/IEC 27001: Details best practices for establishing and maintaining information security management system (ISMS). Companies can receive certification for meeting this standard by an accredited certification body following a successful audit. These best practices include:
- Regular audits of an organisation’s security risk such as threats, vulnerabilities, and impacts.
- Design and implement acceptable remediation plans for high-risk threats.
- Adopt an overarching management process to ensure continuous compliance is met.
- ISO/IEC 27002: Extensive best practice recommendations for the use of information security controls by people responsible for the ISMS.
- ISO/IEC 27017: Best practices for information security controls for cloud services based on ISO/IEC 27002 guidelines.
- ISO/IEC 27001: Details best practices for establishing and maintaining information security management system (ISMS). Companies can receive certification for meeting this standard by an accredited certification body following a successful audit. These best practices include:
Now that’s we’ve gone through the basics, Let’s take a look at how they can used in real life to avoid events like the Capital One data breach:
The problem: Capitol One, by all means considered a “mature cloud company”, suffered a massive data breach in 2019 due to a misconfigured web application firewall
The result of the data breach: More than 100 million U.S. customers impacted and another 6 million in Canada
The standard: ISO/IEC 27001
How it applies: This standard was adopted in 2013 to specify the requirements for developing and implementing an ISMS. The ISMS is the sum of the information security programme, its processes, and all the security controls within a business. If Capital One had followed the best practice of regular, systemic audits, the misconfigured firewall would have been detected and potentially remediated before being exploited.
Tl;dr
Compliance is important to businesses. You are responsible for fixing security issues within deployed applications. To avoid going back and forth with reconfigurations, you want to automatically bake compliance into your development process. You are online looking for an answer and you discovered Conformity. Conformity provides automated scanning against over 750 best practice cheques, visibility into your overall security posture, and it integrates seamlessly with your AWS and Azure tools. See it out yourself with our free 30-day trial.