Related articles in the Compliance for DevOps Teams series:
- How DevOps Teams Can Prove ISO Compliance with Automation
- How DevOps Teams can meet HIPAA compliance standards
Cloud computing has become the de-facto method for developing applications thanks to its convenient, self-service, on-demand computing capabilities, often at a fraction of the cost of on-premises solutions. Companies using the cloud also experience more agility, allowing them to provide indispensable resources like the ability to expand and contract services based on utilisation and demand and access those services from anywhere in the world. Enterprises using cloud-native programmes like Microsoft Office, Dropbox™, and Google G Suite™ can sustain their business while employees worked remotely due to the COVID-19 pandemic. However, nothing is perfect, so unfortunately using a cloud computing model has its challenges. Security, interoperability, and legal and regulatory compliance are amongst the chief hurdles to overcome.
With much at stake, companies are thinking about how to meet their compliance requirements with standards and laws like GDPR, HIPAA, and ISO. Although integrating compliance into your build process may be unfamiliar and seem overwhelming, the benefits are doing so are completely worth it. By automating compliance early in your development cycle you remove security hurdles, which allows you to innovate and build quicker.
In this article we will review why meeting compliance obligations are important to you (not just executives) and how using the National Institute of Standards and Technology (NIST) to meet compliance obligations can benefit your build process.
What is NIST?
To put it simply, NIST uses its NIST Cybersecurity Framework (CSF) to help business better understand and manage their cybersecurity risks.
The NIST Cybersecurity Framework is made up of:
5 central elements:
- Identify: Sync up on a common understanding to manage cybersecurity risks for systems, people, data, etc.
- Protect: A security plan to ensure the organisation runs smoothly
- Detect: Timely discovery of cybersecurity events
- Respond: Quick remediation to minimise impact to the business and its customers
- Recover: Like reviewing the game film—you need to adapt your strategy to protect against new and evolving threats
3 essential components:
- Framework core: Standards, guidelines, and practices that help produce desired outcomes by improving communication of cybersecurity activities and results across the entire organisation.
- Implementation tiers: Provide context on how organisations view risks and what processes are in place to manage said risks. The tiers also “rank” the business’ risk management throughout time.
- Framework profiles: The framework, like cybersecurity, is not one-size-fits-all. The profile reflects the specific needs of the business and helps identify opportunities for improvement.
NIST and the cloud
While the NIST CSF evaluates the organisation’s general cybersecurity posture, the NIST Cloud Computing Programme (NCCP) is a model that promotes cloud adoption through cost-effectiveness, availability, high-performance, and convenience. The cloud computing model is composed of:
5 essential characteristics:
Three service models:
- Software as a service (SaaS)
- Platform as a service (PaaS)
- Infrastructure as a service (IaaS)
Four deployment models:
Who has to comply?
In an ideal world, everyone. You might read that and think: “chill Big Brother,” but NIST isn’t about controlling you, it’s about giving you control over your cloud environments. Think of using NIST like following a fitness plan with the goal of doing 100 push-ups. The more you follow the plan, the more likely you’ll reach your goal. But if you decide to starfish in bed the entire time instead, your chances of doing 100 push-ups diminish.
It’s no secret that there is a significant knowledge gap between organisations when it comes to securing high-value assets, often because a lot of laws and regulations tell you to be secure but fail to tell you how to be secure. NIST aims to eliminate these gaps by providing detailed guidance, no matter the industry or organisation size. That’s why many companies have voluntarily started leveraging NIST guidelines and standards to implement, manage, operate, monitor, and improve their security programmes for a stronger defence posture.
Thanks to the Federal Information Security Modernization Act of 2014 (FISMA), US government agencies and their contractors are now required to implement “effective information security programmes” that include risk management, security governance, security evaluation and testing, and incident response capabilities. And how do you think they go about doing that? You guessed it—following NIST standards.
NIST in action
Since NIST is more of a guidebook than an actual law, one cannot accurately say a breach occurred because the organisation didn’t follow NIST. But, if you take a look at the cause of breaches, you’ll recognise how leveraging NIST could’ve led to a better outcome. Here are some recent breaches that could’ve used a little help from NIST:
Facebook: Oops, I did it again
Starting with the latest Facebook data breach. This one resulted in phone numbers and email addresses of 533 million users being exposed and posted on a popular hacker forum. Facebook responded that it was no big deal because the breach occurred in 2019, which is actually more concerning.
In lieu of the fact this breach actually happened two years ago, elements #4 and #5 of NCF come to mind. Facebook claims they “found and fixed” the issue in August 2019, but since then they’ve experience similar email/phone number breaches in September and December 2019 and early 2020. Also, Facebook did a poor job on the recovery front—as the scraped data went on to be exposed nearly two years later.
Estee Lauder: Not so beautiful breach
The cosmetic giant exposed more than 440 million data pieces due to an unsecured database. And when we say unsecured, we mean there was no password protection in place. Estee Lauder needs to go back to NCF element #1 and identify which systems need to be protected, and then work toward a more secure and protected infrastructure.
U.S. Cellular: Customer service blunder
In January 2021, hackers targeted retail employees of the fourth-largest wireless carrier in the US. Through an undisclosed method, hackers were able to trick employees into downloading malicious software to gain remote access to the company’s customer relationship management (CRM) software and company devices containing records for nearly 5 million customers. The silver lining of this breach is that U.S. Cellular detected it just two days after the attack. While we may think breaches take place on servers, this event shows that the human attack vector needs to be secured as well. This is where NCF element #1 comes in play—security isn’t just about configurations, it’s also educating employees on the signs of a potential scam.
Why does this matter to you?
It’s your responsibility to ensure that the applications you build, the servers you deploy, and the services you utilise are built and configured to protect your business from security breaches. Meeting compliance is part of that, because the goals of compliance laws and regulations are similar to yours: making sure everything is safe. Adhering to the NIST CSF and other evaulations based on the NCCP, also enables a strong DevOps or DevSecOps culture, which as we discussed here (shameless promotion plug), benefits you.
Thanks to automation, leveraging NIST and meeting compliance regulations doesn’t have to be as time-consuming or complicated as you might’ve anticipated. Automating security scans for misconfigurations saves you time from manually scanning everything and reduces the chances of breaches caused by human error (the #1 cause of cloud misconfigurations). Some other benefits of automation are:
Automate and accelerate your audits with Trend Micro Cloud One™ – Conformity
Automating security audits allows you to work at lightning speed while meeting business’ compliance needs—a dream come true, right? Conformity enables you to do just that thanks to:
- Real-time configuration scans against hundreds of industry best practice cheques for Amazon Web Services (AWS) and Microsoft Azure™ environments.
- Standardised and custom reports to audit your environment, including all the ones your business cares about: NIST, SOC2, ISO 27001, CIS, GDPR, PCI DSS, HIPAA, and more.
- Library of over 800 cloud service configuration remediation guides so that no matter your team’s cloud or security skill level, your misconfigurations can get fixed.
- Seamless integration into your CI/CD pipeline due to powerful APIs.
- Infrastructure as code (IaC) ensures only the most secure and compliant templates are deployed.
- Connects to preferred third-party providers such as Slack, Jira, Zendesk, PagerDuty, Microsoft Teams, and more.
Want to see how automated cloud security posture management can help you build better and faster?
Start your free trial of Conformity today.