Ensuring continuous compliance in modern dynamic multi-cloud architectures can seem like a daunting task for enterprises on their cloud journey. Achieving and maintaining the required level of compliance across all environments may seem more complex than traditional data center operations. But cloud computing opens up possibilities to stay compliant that by far outweigh the challenges it may add.
In this post you will learn
- what we mean by continuous compliance,
- what are the typical challenges when implementing continuous compliance,
- why a declarative approach is superior
- and as a bonus: What tools and services Azure, AWS and GCP offer you to stay compliant.
Let's get started!
What is continuous compliance?
For compliance and security efforts to make any sense they have to be thought about as ongoing efforts that stretch way beyond the initial setup and migration. Continuous compliance ensures a compliant state of all cloud environments at any point - especially in day to day operations.
A failure to be compliant to - e.g. the European GDPR - can result in substantial fines and loss of reputation.
Continuous compliance is a matter of culture and strategy in your organization and a matter of using the right tools and services to actually live up to the set standards in practice.
What continuous compliance can do is freeing IT departments from reactively responding to requests by regulators or threats to data security: Well implemented continuous compliance practices aim to proactively prepare the organzation for future security threats and audit requirements.
The 3 hurdles to get over when implementing continuous compliance
There are 3 major hurdles any organization needs to clear when it comes to clontinuous compliance and moving to the cloud:
The evaluation of general and industry specific regulation is the first - easier - step, followed by the evaluation of possible cloud platforms and the definition of enterprise specific compliance requirements.
With building we mean the challenge of implementing the continuous compliance strategy organization wide, spanning all teams, environments and applications.
The last hurdle is making the continuous compliance strategy and implementation fit for scale. New cloud platforms, new projects and the dynamic change of existing environments must all be incorporated in continuous compliance efforts.
Continuous Compliance in Cloud Computing
Moving workload to the cloud is a complex operation, even more so when using a multi-cloud architecture with multiple cloud service providers like AWS, Azure and GCP. At first glance achieving and maintaining a standard level of compliance across multiple clouds and applications seems more difficult, when coming from a traditional datacenter for example.
On this timeline you can see major compliance milestones in the cloud migration process and during operations: From evaluation to building and scaling.
Contractual specifics aside, the added complexity is outweight by the added transparency the cloud offers: Cloud technology allows enterprises to audit, query, alert and resolve upcoming issues on a grand scale across all environments.
There is no denying, the initial definition is very complex: A service provided by central IT - let's say a jump host - may take weeks or even months to get security and compliance clearance. But services provided by the cloud like logging and anomaly detection, paradigms like CI/CD and automation are very good tools to overcome complexity and build on a large scale.
The extent to which organizations can utilize the new possibilities and what it will cost them depends on the approach they opt for:
We differentiate between the workflow-centric and the declarative approach.
Challenges of the workflow-centric approach
A common way to speed up slow manual processes is to automate the workflow.
So for example, instead of having an Azure Admin manually create and configure a subscription for a DevOps team, there will be a script automating the workflow to reduce the time needed.
But what happens if the DevOps team lead goes ahead and changes the configuration to better suit the application’s needs? Right, configuration drift, and no one will be aware of environments becoming noncompliant.
To detect non-compliant environments a compliance monitoring can be introduced subsequently: It issues an alarm if compliance policies are violated. A workflow must then be triggered again to resolve the discrepancies.
The declarative approach: Taking continuous compliance a step further
A superior approach is to define a desired state. That is what we mean by the declarative approach. It is the final and most mature stage in our multi-cloud management maturity model. It offers a lot of potential to take the hurdles of building and scaling we talked about earlier.
The declarative approach focuses on the what as opposed to the how of the workflow-centric approach: The declarative approach has the benefit that it enables a continuous validation of the actual state against the defined desired state (re-certification) and provides a single source of truth to avoid configuration drift.
To stick with the Azure example, this could be an Azure subscription with access permissions for a DevOps team lead and one of his team members. This desired state definition can be continuously compared to the actual state. If no subscription or permissions exist yet, they will be initially set up. If the DevOps team lead changes the configuration, this will be detected. If it is intended the desired state can be updated, if not the action can be undone to get back to the desired configuration.
The declarative approach covers both technical and organizational compliance measures: Tools like Azure Resource Manager templates help you describe a desired state to ensure continuous technical compliance.
The same is possible for continuous organizational compliance: As part of the government funded MultiSecure project, meshcloud enables enterprises to describe organizational structures in a declarative format.
Let's have a quick look at an example: Productive cloud environments do not only have to follow specific configurations - provided by landing zones - but organizations have to make sure that only authorized staff creates and accesses these environments.
The idea of MultiSecure is to describe organizational elements and their relationships as code in an open and reusable format - a declarative manifest that represents the desired target state of the organization. MultiSecure allows to centralize this information in an open format, instead of squeezing the organization into the envisaged organizational models of the cloud providers and therefore maintaining multiple proprietary organizational models in parallel and distributed. It builds a projection of the organization that can be consumed by different systems.
A practical look at using meshcloud
Let's have a look at how you can prevent unauthorized and unintended permission changes in your cloud environments using meshcloud:
The creation of new cloud environments often comes with a certain permission set. A DevOps team lead creates a project and receives permissions to access and edit the corresponding cloud environments and so do the other DevOps team members who work on the application deployment.
If DevOps teams receive cloud-native access to the clouds, such permissions are prone to unintended or unauthorized change.
To prevent this configuration drift, the permissions must be monitored. With meshcloud - following the declarative approach - the desired state of configurations is continuously checked against the actual state of the subscription. In case of deviations the configurations will be automatically restored to maintain a compliant state of all environments.
Bonus: A quick look at Azure, AWS and GCP compliance services
The big public cloud platforms offer a range of resources, tools and services to help their customers with implementing their continuous compliance strategies.
Let's have a look!
Microsoft puts its Azure Trust Center forward to explain what Azure offers in terms of compliance: From audit reports and compliance offerings (including regulation and certification like GDPR or ISO 27001) to their understanding of shared responsibility.
With Azure Security Center Microsoft offers an infrastructure security management system to protect cloud and data center workloads.
Further Azure services include
- Azure Sentinel (cloud native SIEM and security analytics)
- Azure Policy (implementing governance and standards for Azure resources)
Amazon offers what they call the AWS Security Hub. It provides insights into the security state of AWS environments and helps checking against set security and compliance standards.
AWS Systems Manager provides visibility and control to manage infrastructure securely at scale. It helps maintainig compliance by detecting policy violations.
Google Cloud Platform:
In their Cloud Compliance Resource Center Google collects all important information on what tools and services GCP offers to help staying compliant on their platform. Google provides a wide variety of compliance offerings - global and regional.
With Google Anthos there now is a service that let's you enforce security and compliance policies across all cloud environments.
GCP also supports third party services like Forseti Security that provide monitoring, enforcing and displaying policies.