Challenges to Achieving Compliance in the Cloud
Compliance uncertainty is a barrier for many organizations wanting to move workloads to the cloud. There are many standards and controls – Privacy, Compliance, PCI DSS, ITAR, GLBA, SOX, NIST 800.53, GDPR, HIPAA to name a few – and sometimes these compete.
First, you face regulatory requirements that demand you ensure proper controls are in place over systems and data accessibility. You also need to ensure separation of duties by function. Finally, you are required to apply data encryption and protection.
Next, you have to meet audit requirements which prove the level of access that each user has and how those levels are maintained. And you need to collect evidence of this access in dynamic environments – all while demonstrating the effectiveness of controls.
What’s Required to Achieve Compliance in the Cloud?
To meet the demands of regulators and auditors, organizations moving to the cloud need to arm themselves with tools that are identity-centric, reduce the scope of audits and provide fine-grained details of the level of access to the cloud.
Identity-Centric Resource Control
- Users must authenticate to gain access to protected resources
- The resource is not visible or accessible to users without the proper credentials
- Reduce the scope of audits
- Immaterial resources are no longer part of the audit
- Meets the logging and auditing requirements for compliance frameworks
- Logs can be managed by third-party log management/SIEMs
How a Software-Defined Perimeter Helps Achieve Compliance in the Cloud
One way to achieve compliance in the cloud is to employ a Software-Defined Perimeter, a new network security model that dynamically creates one-to-one network connections between users and the data they access. A Software-Defined Perimeter provides:
- An individualized perimeter for each user
- Fine-grained authorization for on-premises and cloud
- Dynamic adjustment to new cloud server instances
- Consistent access policies across heterogeneous environments
- Contextual awareness driving access and authentication
Case Study: Secure, Compliant Cloud Migration
One financial services regulatory agency needed to migrate workloads to AWS. It was challenged with:
- Granular control of users and environment – per user and per instance dynamic deployments
- Strict controls of admin and DevOps access (separation of duties)
- Heavy compliance and reporting requirements
To overcome these challenges, this agency chose AppGate, a Software-Defined Perimeter network security solution that dynamically creates one-to-one network connections between users and the data they access.
AppGate provides for this agency granular access control, and a migration path that allows specific users and specific device access. AppGate also provides:
- A complete audit trail and logging of all user/device/system events
- Logs to pass to enterprise SIEM system
- Automatic admin user access adjustments based on DevOps changes
Case Study: User Access Control to Cloud Resources
Brainspace needed a comprehensive solution to secure access to the cloud that delivers their SaaS solution. Challenges included:
- Stringent audit requirements needed to be met with a tight timeline
- Required encrypting all traffic, multi-factor authentication, client side validation and comprehensive logging
AppGate provided a Software-Defined Perimeter solution for secure access control, work station auditing and policy controls. AppGate helped Brainspace to enforce security policies across employee, vendor and customer groups whether resources are on-premises or in the cloud.
Case Study: Reducing PCI Scope and Effort
SageNet secures, manages and audits a multi-tenant, colocated data center. The company is subject to rigorous PCI compliance requirements. It was challenged with:
- Enabling detailed logging of user access and activities
- Leveraging role-based context to determine network access
- Using network segmentation to reduce the scope of PCI audits
AppGate was used to reduce time and effort required to collect PCI data by more than 50%. Onboarding new customer cardholder data environments was reduced by over 90%. SageNet also created a new security offering resulting in new revenue using AppGate.
Enterprise Strategy Group Report: Securing the Shifting Network Perimeter
Want more information? Learn about five “…must-have requirements of an SDP solution for today’s and tomorrow’s compute environments:”
- Identity-based least privileged application workload access
- Cloaking via separation of control and data paths
- Coverage across devices, workloads, and location
- Enable automation
- Future-ready extensibility
This ESG report is for written for security, network, architect, operations, infrastructure, compliance and risk professionals.