Challenges to Achieving Compliance in the Cloud

March 14, 2017 |
Word doodle on regulations for the cloud: Challenges to Achieving Compliance in the Cloud

Compliance uncertainty is a barrier for many organizations wanting to move workloads to the cloud. There are many standards and controls – Privacy, Compliance, PCI DSS, ITAR, GLBA, SOX, NIST 800.53, GDPR, HIPAA to name a few – and sometimes these compete.

Regulatory Requirements

First, you face regulatory requirements that demand you ensure proper controls are in place over systems and data accessibility. You also need to ensure separation of duties by function. Finally, you are required to apply data encryption and protection.

Audit Requirements

Next, you have to meet audit requirements which prove the level of access that each user has and how those levels are maintained. And you need to collect evidence of this access in dynamic environments – all while demonstrating the effectiveness of controls.

What’s Required to Achieve Compliance in the Cloud?

To meet the demands of regulators and auditors, organizations moving to the cloud need to arm themselves with tools that are identity-centric, reduce the scope of audits and provide fine-grained details of the level of access to the cloud.

Identity-Centric Resource Control

  • Users must authenticate to gain access to protected resources
  • The resource is not visible or accessible to users without the proper credentials

Scope Reduction

  • Reduce the scope of audits
  • Immaterial resources are no longer part of the audit

Robust Logging

  • Meets the logging and auditing requirements for compliance frameworks
  • Logs can be managed by third-party log management/SIEMs

How a Software-Defined Perimeter Helps Achieve Compliance in the Cloud

One way to achieve compliance in the cloud is to employ a Software-Defined Perimeter, a new network security model that dynamically creates one-to-one network connections between users and the data they access. A Software-Defined Perimeter provides:

  • An individualized perimeter for each user
  • Fine-grained authorization for on-premises and cloud
  • Dynamic adjustment to new cloud server instances
  • Consistent access policies across heterogeneous environments
  • Contextual awareness driving access and authentication

Case Study: Secure, Compliant Cloud Migration

One financial services regulatory agency needed to migrate workloads to AWS. It was challenged with:

  • Granular control of users and environment – per user and per instance dynamic deployments
  • Strict controls of admin and DevOps access (separation of duties)
  • Heavy compliance and reporting requirements

To overcome these challenges, this agency chose AppGate, a Software-Defined Perimeter network security solution that dynamically creates one-to-one network connections between users and the data they access.

AppGate provides for this agency granular access control, and a migration path that allows specific users and specific device access. AppGate also provides:

  • A complete audit trail and logging of all user/device/system events
  • Logs to pass to enterprise SIEM system
  • Automatic admin user access adjustments based on DevOps changes

Case Study: User Access Control to Cloud Resources

Brainspace needed a comprehensive solution to secure access to the cloud that delivers their SaaS solution. Challenges included:

  • Stringent audit requirements needed to be met with a tight timeline
  • Required encrypting all traffic, multi-factor authentication, client side validation and comprehensive logging

AppGate provided a Software-Defined Perimeter solution for secure access control, work station auditing and policy controls. AppGate helped Brainspace to enforce security policies across employee, vendor and customer groups whether resources are on-premises or in the cloud.

Case Study: Reducing PCI Scope and Effort

SageNet secures, manages and audits a multi-tenant, colocated data center. The company is subject to rigorous PCI compliance requirements. It was challenged with:

  • Enabling detailed logging of user access and activities
  • Leveraging role-based context to determine network access
  • Using network segmentation to reduce the scope of PCI audits

AppGate was used to reduce time and effort required to collect PCI data by more than 50%. Onboarding new customer cardholder data environments was reduced by over 90%. SageNet also created a new security offering resulting in new revenue using AppGate.

Enterprise Strategy Group Report: Securing the Shifting Network Perimeter

Want more information? Learn about five “…must-have requirements of an SDP solution for today’s and tomorrow’s compute environments:”

  1. Identity-based least privileged application workload access
  2. Cloaking via separation of control and data paths
  3. Coverage across devices, workloads, and location
  4. Enable automation
  5. Future-ready extensibility

This ESG report is for written for security, network, architect, operations, infrastructure, compliance and risk professionals.

Enterprise Strategy Group Report on Software-Defined Perimeter

Back to Blog Home

Chris Steffen

Christopher Steffen joined Cryptzone in October 2016 as the Technical Director to educate and promote information security and regulatory compliance as it relates to network access management and cloud computing solutions. Before joining the team at Cryptzone, Chris served as the Chief Evangelist – Cloud Security for Hewlett Packard Enterprise (HPE). He has also served in executive roles as the Director of Information Technology at Magpul Industries (a plastics manufacturing company) and as the Principal Technical Architect for Kroll Factual Data (a credit service provider). Steffen has presented at numerous conferences and has been interviewed by multiple online and print media sources. Steffen holds several technical certifications, including CISSP and CISA.

Leave a Reply

Your email address will not be published. Required fields are marked *