“I like mine with lettuce and tomato
Heinz 57 and French fried potatoes
Big kosher pickle and a cold draught beer
Well, good God almighty, which way do I steer…
…for my cheeseburger in paradise?”
– Jimmy Buffett, Cheeseburger in Paradise
Our CEO, Tim Prendergast, dropped some deep philosophical knowledge on me today. It came in the form of something called the Cheeseburger Principle, and as you might have guessed, it relates to cloud compliance.
We spend our days talking with people about the need to apply security and compliance best practices in their cloud environment, and then helping them maintain automated visibility and remediation of vulnerabilities. We try to imprint on them the notion that security never stops; to truly have the best odds of keeping an environment secure, the effort must be continuous. To illustrate this point, Tim invoked cheeseburgers, and it looks like this:
If you want a clean bill of health at your yearly check up, you can’t eat cheeseburgers for 364 days out of the year and then the day before the check up, eat a salad and expect to be told you’re in excellent shape. As much as I wish it did, the world doesn’t work like that, and it’s the same for cloud security and compliance works. It would make no sense to ignore security controls, configurations, settings, and other critical aspects of your cloud until the day before auditors come in to review. Well, you could certainly do it, but you’d have an environment populated with bad actors and ransacked with holes and ransomware.
Clearly, we’re extending this metaphor liberally, but the truth is anything other than continuous and automated compliance can result in three potential issues. For one, both your body and your cloud are dynamic entities that are constantly changing. A snapshot of what it looked like yesterday isn’t necessarily what it looks like today, and because of that you need a way to monitor its evolution, its changes, and its state at all times. Secondly, your compliance issues and responsibilities will just pile up as you ignore them just as your blood pressure will edge ever upwards if you don’t get off the couch. Lastly, addressing your cloud or your health only when it’s convenient presents an advantage to to bad actors and negative consequences that invariably occur with avoidance. Basically, you can’t escape what you’re supposed to do.
Look at it this way: without continuous automation, organizations really can’t prove any form of compliance in the cloud because they don’t have timely visibility into infrastructure configuration and workload risk. Timeliness is critical precisely because of the constant change and dynamic nature of your cloud environment.
Continuous monitoring does frequent testing to determine if the configuration of deployed services, compliance issues, and security controls continue to be effective over time (and not just a day before an audit). This helps to quickly identify changes that increase risk. That requires testing on an ongoing basis to see if change has created new or additional risk in cloud deployments. A small part of this assessment also relates to vulnerabilities and testing to ensure that future changes do not leave any previously discovered vulnerabilities open to potential attack.
Remember though, finding the root of the issue is only part of the problem. Once identified, issues need to be fixed and then you have to measure your progress. Just like dropping the burger and getting off the couch, change starts small and progressively builds. So think in terms of incremental improvements, and as they build upon one another, you’ll likely make fewer mistakes over time.
We have a few resources that can help you understand the need for continuous and automated compliance and security. We’ve purposely removed pictures of cheeseburgers so as not to tempt you:
- Continuous Monitoring and Compliance in the Cloud (whitepaper): This white paper will explore how to incorporate continuous monitoring and compliance in the cloud to achieve full visibility, control and the compliance posture essential to your organization.
- Security First – Creating a Secure, Compliant Public Cloud Environment (ebook): This ebook provides a framework for developing a continuous approach to monitoring the state of your cloud environment, applying rapid fixes, and gaining control over all your operations in the cloud.
- 11 Things To Focus On To Be PCI Compliant In AWS: This ebook will explore some practical tips and guidance that we’ve collected from our security and compliance experts who have built and managed PCI-compliant environments in AWS.
Not to worry, Tim is still going to have the occasional cheeseburger, and you should feel free to also. But remember that consistency, awareness, and regular monitoring and attention will provide long term benefits that can keep you and your cloud healthy.
This is a Security Bloggers Network syndicated blog post authored by Patrick Flanders. Read the original post at: Cloud Sentry Blog