Businesses are embracing the public cloud at an accelerated pace — and for good reason. By tapping hosted services, companies of all sizes and in all verticals are finding fresh, dynamic ways to engage with employees, suppliers, partners and customers.
Related articles: 5 things to do to prep for GDPR
However, as companies race to mix and match cloud-delivered storage, processing power and business apps from the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in traditional perimeter network defenses are turning up. Smitten by the benefits of cloud computing, many companies have not bothered to fully address the “shared responsibility” model for security underlying the public cloud.
By the same token, ever-opportunistic cyber criminals have already begun pouncing on these emerging exposures. Emergent cloud computing vulnerabilities have gotten a lot of attention by the cybersecurity community, as well they should.
Much less well understand, and, yet, quite possibly a much more clear and present risk for many thousands of companies is the risk of non-compliance. It turns out that in rush to move to the cloud, companies have created many more opportunities for violating the matrix of industry standards and government regulations that touch on data handling and data privacy.
I recently had a chance to discuss this with Sridhar Karnam, senior director of product marketing for Oracle’s cybersecurity practice. Oracle is much better known as the world’s premier database management company. But security touches everything, and by virtue of its large footprint in business networks, Oracle has quietly assembled a sizable cybersecurity practice. For a drilldown on our discussion, please listen to the accompanying podcast. Here are notable takeaways:
Companies love the cost savings and agility gains achieved cloud services offer. But it has also become much more difficult to setup security and compliance controls, he says. And because cloud services are developed and deployed quickly, simple misconfiguration errors can open up fresh security gaps that hackers are quick to ferret out and exploit, just ask Uber or Tesla.
Misconfigurations and lack of security controls can lead to security vulnerabilities that result in compliance violations. A malicious intruder does not necessarily have to orchestrate a network breach and steal data to put a company on the wrong side of compliance regulations, Karnam observes. More often than not, and especially in the tumult of mixing and matching cloud resources, simple errors can lead to fines and penalties.
Overlapping rules and regs
When you combine infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), with DevOps, rapid innovation can result. But you also complicate any efforts to adhere to industry standards and federal laws the often overlap.
The Payment Card Industry Data Security Standard (PCI DSS,) for instance imposed detailed requirements for tagging and encrypting transaction logs for any businesses conducting payment card transactions; the Health Insurance Portability and Accountability Act, mandate standardized record handling and strict privacy of medical records; the Sarbanes-Oxley Act sets forth data handling rules for public companies; and the Federal Information Security Management Act (FISMA,) requires federal agencies to minimize the risk to data.
Meanwhile, the EU’s revised General Data Protection Regulation (GDPR) will take effect May 25, 2018, imposing new data breach reporting rules and stronger consumer privacy protections, as well as potentially huge penalties for corporate violators.
Traditionally, companies have focused compliance efforts inside the network perimeter. But cloud computing has made the concept of the hard and fast network perimeter obsolete. And yet all too many companies are in denial. A common practice is to wait till an auditor shows up, find the company to be out of compliance of one set of rules and regs, or another, and then tackle the issue in crisis mode, Karnam says.
As it turns out, there are many similarities, even common denominators, among data security standards and regulations. And the technology exists to enable companies to take an integrated approach to enterprise-wide governance, risk management and compliance, he says.
A much smarter approach – one that is well suited to managing compliance in the dynamic cloud environment — is to begin proactively protecting content, applications, systems, platforms, and data, both on premises and in the cloud. Key frameworks can be precisely tuned and continually improved. Karnam compares it to avoiding disease by eating well and getting proper exercise.
“Don’t wait to fall out of compliance to figure out your compliance strategy,” he advises. “Start figuring out the best ways to secure your users, your applications, your data and your infrastructure, then make sure you have proper configuration management, and you won’t go out of compliance.”
(Editor’s note: Last Watchdog has supplied consulting services to Oracle.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: http://www.lastwatchdog.com/podcast-why-companies-need-a-strategy-to-manage-compliance-now-more-than-ever/