{"id":97229,"date":"2019-02-21T06:00:06","date_gmt":"2019-02-21T14:00:06","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=97229"},"modified":"2019-05-06T15:33:13","modified_gmt":"2019-05-06T22:33:13","slug":"achieve-business-harmony-compliance-automated-policy-enforcement","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/02\/achieve-business-harmony-compliance-automated-policy-enforcement\/","title":{"rendered":"Achieve Business Harmony and Compliance Through Automated Policy Enforcement"},"content":{"rendered":"<p>I was doing some compliance research recently and came across the following statistic from the <a href=\"https:\/\/www.veritas.com\/form\/whitepaper\/the-truth-in-cloud#\" rel=\"nofollow,noopener\" >Veritas Truth in Cloud Study<\/a>:<\/p>\n<p>\"76% of organizations believe that their cloud service providers take care of all data privacy and compliance regulations.\u201d<\/p>\n<p>Once I had a chance to collect my jaw from the floor, I began to write this blog post.<\/p>\n<p>According to the <a href=\"https:\/\/www.youtube.com\/watch?v=MeQwyc6LMOk\" rel=\"nofollow,noopener\" >Shared Responsibility Model<\/a>, the customer (you) are responsible for ensuring the security, privacy and compliance of your workloads and data in the cloud.<\/p>\n<p><div class=\"styleIt\" style=\"width:420px;height:236px;\"><lite-youtube videoid=\"MeQwyc6LMOk\" ><\/lite-youtube><\/div><\/p>\n<p>For this post, let\u2019s zero in on compliance.<\/p>\n<p>There are more compliance frameworks than I can count on two hands, and depending on your industry, it\u2019s mandatory to comply with one or more of them. Here\u2019s a small handful for example:<\/p>\n<ul>\n<li>ISO 27001: International standard<\/li>\n<li>SOC 2: Popular in the U.S., particularly with financial services and SaaS providers<\/li>\n<li>FedRAMP: Government clients, NIST 800-53<\/li>\n<li>PCI: Credit card payment processing<\/li>\n<li>HIPAA: Healthcare patient data<\/li>\n<li>GDPR: Personal data<\/li>\n<\/ul>\n<p>Become intimately familiar with the frameworks that apply to your business as a prerequisite. From there, you can start tackling roles and responsibilities within your organization.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Cloud Security and Compliance Is a Team Sport<\/strong><\/p>\n<p>We hosted a <a href=\"https:\/\/www.brighttalk.com\/webcast\/10903\/337122\/compliance-is-a-team-sport\" rel=\"nofollow,noopener\" >webinar<\/a> on this very topic back in October, but I think it\u2019s important to reiterate some of the key players and their responsibilities around ensuring compliance.<\/p>\n<p><em>EVERYONE plays a role.<\/em><\/p>\n<p><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:25.6%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-large wp-image-97230 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-500x128.png\" alt=\"\" width=\"500\" height=\"128\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-500x128.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-230x59.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-768x196.png 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-510x130.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-156x40.png 156w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance-650x166.png 650w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/Cloudcompiance.png 974w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/p>\n<p>&nbsp;<\/p>\n<p>I like to categorize in three different buckets:<\/p>\n<ul>\n<li><strong>Management<\/strong> (e.g., C-levels): These are the people who are legally responsible if your organization is out of compliance. Not only from the brand standpoint \u2013 these folks are literally on the line to shield the repercussions \u2013 including jail time.<\/li>\n<li><strong>Compliance<\/strong> (e.g., internal auditor and governance teams): These people are the interface between the business and the governance powers that be. They must make sure compliance programs are up to date and being tested consistently.<\/li>\n<li><strong>InfoSec and Developers<\/strong> (e.g., SecOps and DevOps): These people are tagged to do the work the audit team needs to showcase proof of compliance.<\/li>\n<\/ul>\n<p>And we can drill down even further. Let\u2019s look at the roles and priorities of three key players and the variance based on your organization\u2019s level of cloud maturity.<\/p>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"90\"><strong>\u00a0<\/strong><\/td>\n<td width=\"186\"><strong>Adopt Phase<\/strong><\/td>\n<td width=\"192\"><strong>Expand Phase<\/strong><\/td>\n<td width=\"156\"><strong>Scale Phase<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"90\"><strong>SecOps<\/strong><\/td>\n<td width=\"186\">Adapting policies<br \/>\nExploring tools<\/td>\n<td width=\"192\">Automating security monitoring &amp; assessment for full visibility<\/td>\n<td width=\"156\">Automating enforcement of policy<\/td>\n<\/tr>\n<tr>\n<td width=\"90\"><strong>DevOps<\/strong><\/td>\n<td width=\"186\">Adopting a security-first approach<br \/>\nLearning what is available from CSPs<\/td>\n<td width=\"192\">Developing processes to ensure best practices are followed<\/td>\n<td width=\"156\">Automating workflows to validate configuration BEFORE deployment<\/td>\n<\/tr>\n<tr>\n<td width=\"90\"><strong>Compliance<\/strong><\/td>\n<td width=\"186\">Learning plans and impact of deployments Understanding what is inherited from CSPs<\/p>\n<p>&nbsp;<\/td>\n<td width=\"192\">Performing periodic measurement to identify gaps in compliance<\/td>\n<td width=\"156\">Compliance scorecard by month, week or day<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Figure 1: Cloud maturity levels<\/p>\n<p>&nbsp;<\/p>\n<p><strong>The Underlying Contention Between Teams<\/strong><\/p>\n<p>It\u2019s arrived: the dreaded compliance audit. As if SecOps and DevOps aren\u2019t busy enough with IR, now they must shift focus and pile on a ton of work to help the compliance team ensure a passing score for a security audit \u2013 a typically manual process that requires significant time and resources and causes hefty delays for their priority initiatives, apart from compliance. Herein lies the problem.<\/p>\n<p>The good news is that automation can help reduce this contention and unite these teams for the greater good: continuous compliance.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Security by Design - <\/strong><strong>Automating Policy Enforcement<\/strong><\/p>\n<p>According to the <a href=\"https:\/\/www.rightscale.com\/press-releases\/rightscale-2018-state-of-the-cloud-report\" rel=\"nofollow,noopener\" >RightScale 2018 Cloud Security Report<\/a>, 42% of organizations are focused on automating policies for governance. This is good news. Even better, compliance requirements can be fulfilled in the cloud with the right strategy, tools and governance \u2013 rooted in automation.<\/p>\n<p>Automating policy enforcement is hugely beneficial. It helps ensure visibility of policies across clouds and the larger organization, and propels innovation through confidence that critical policies and standards are always being upheld. Here are some points to keep in mind as you build your strategy and execution:<\/p>\n<ol>\n<li><strong>Take a \u201cShift Left\u201d Approach<\/strong>. Be sure to involve policymakers at each step, and as each project is deployed. Also, don\u2019t forget that incidents will happen. Account for these as part of your project delivery timelines upfront.<\/li>\n<li><strong>Take a Cloud-Centric Approach<\/strong>. Remember that the cloud is not your data center. You must approach security and compliance, including automated policy enforcement, differently.<\/li>\n<li><strong>Prototypes Become Permanent<\/strong>. In the cloud, it\u2019s never just an experiment. As quickly as you can say \u201ccloud workload,\u201d your \u201cexperiment\u201d can be exposed on a massive scale.<\/li>\n<\/ol>\n<p>Maintaining compliance as requirements increase and expand in scope can be challenging. Palo Alto Networks RedLock security and compliance service continuously monitors all cloud resources for potential compliance violations and provides customizable one-click compliance reports. Click-through controls resolve issues quickly in the face of ever-changing configurations and development requirements.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Want to learn more? Check out our on-demand webinar: <\/em><a href=\"http:\/\/www.start.paloaltonetworks.com\/are-you-cloudfit\"><em>12 AWS Best Practices to Get You #CloudFit<\/em><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was doing some compliance research recently and came across the following statistic from the Veritas Truth in Cloud Study: \"76% of organizations believe that their cloud service providers take care of &hellip;<\/p>\n","protected":false},"author":629,"featured_media":96978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6717,6768],"tags":[6594],"coauthors":[6726],"class_list":["post-97229","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products-and-services","category-secure-the-cloud","tag-cloud-compliance"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/corp-blog-cloud-600x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/629"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=97229"}],"version-history":[{"count":5,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97229\/revisions"}],"predecessor-version":[{"id":97247,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97229\/revisions\/97247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/96978"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=97229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=97229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=97229"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=97229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}