Trending keywords: security, cloud, container,
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
Content
Building a secure cloud environment is one thing. Enforcing cloud compliance and governance is another.
Achieving cloud compliance often requires going further than just implementing basic security safeguards. You must also demonstrate that your cloud complies with whichever internal or external governance rules apply to your business.
Keep reading for an overview of what cloud compliance means, how it works, and how to achieve compliance in the “Big Three” clouds: AWS, Azure, and GCP.
What Is Cloud Compliance?
Cloud compliance consists of the procedures and practices that ensure that a cloud environment complies with governance rules. In other words, when you build a compliant cloud environment, your environment conforms to one or more specific sets of security and privacy standards.
Those standards could be established by a government agency, as is the case with compliance frameworks like the European Union General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA). They could also be an industry standard, like the Payment Card Industry Data Security Standard (PCI DSS). Or, they could be internal governance policies that a company establishes for itself.
The frameworks that affect a given business are determined by factors such as the jurisdiction in which your business operates, the industry or sector of the business, and the number of users the business has. For example, the GDPR applies to most businesses that process data owned by or associated with residents of the E.U., regardless of which industry the company operates in or whether the company has a physical presence in the European Union. In contrast, the PCI DSS standard affects only companies that process payments.
Each compliance framework contains a unique set of rules. In general, however, the requirements include mandates such as ensuring “reasonable security” for workloads, encrypting sensitive data, and demonstrating that your organization performs regular audits to identify and address potential security issues.
Cloud Compliance and the Shared Responsibility Model
Compliance and governance are a bit more complicated in the cloud than they are on-prem because public cloud providers operate according to a shared responsibility model. Under this model, cloud providers are responsible for managing some aspects of security, such as securing the physical servers that host VM instances and storage buckets. They also usually perform regular audits of their systems, as required by a variety of government and industry compliance standards.
However, the burden of securing most facets of resources that end users deploy in the cloud lies with end users. Cloud providers expect you to make sure that the data you upload to a storage bucket is protected by access controls as mandated by your compliance frameworks, for instance, and that you secure the OS running on a cloud VM instance.
What this means for cloud compliance is that, while cloud providers address some of the requirements of whichever compliance frameworks affect your business, they don’t address all of them. Implementing continuous compliance is part of a CNAPP.
To learn more about exactly what your cloud host does and doesn’t do with regard to compliance, refer to the cloud’s documentation. AWS details its compliance policies here, for instance, and the Azure compliance details are here.
How Cloud Compliance Works
Although the specifics of cloud compliance will depend on the types of workloads you are hosting in the cloud and the compliance rules that your business needs to meet, most cloud compliance workflows can be broken down into a few basic steps.
Assess Compliance Needs
The first step is determining what the compliance requirements actually are with regard to your cloud workloads. Most compliance frameworks describe compliance rules in relatively generic terms. The GDPR requires “reasonable security” to protect sensitive data, for example, but it does not specify the exact tools or settings that businesses need to implement to achieve reasonable security.
That means it’s up to the business to assess compliance requirements and determine how to translate them into specific tools and processes.
Define Compliance Rules
After determining how your business will implement the tools and practices necessary to meet cloud compliance requirements, you should define specific rules that will help you track the enforcement of those requirements.
For example, a cloud compliance rule could state that user data must never be stored in your cloud environment in unencrypted form. Or, you could establish a rule stating that SSH access will be disabled by default for cloud VMs.
Perform Compliance Audits
After defining compliance rules, you should perform audits to check whether the rules are being followed.
You can do this manually, of course, by evaluating your cloud workload configurations and determining whether they align with the rules you have established.
But it’s much more efficient to automate compliance by using auditing tools that automatically scan cloud configuration files, logs, and other data sources to detect compliance violations based on the rules you have established.
Compliance and Governance, Cloud-By-Cloud
Although the process for meeting compliance and governance requirements is more or less the same in any type of cloud environment, it’s helpful to know which tools each of the major cloud providers offers to help achieve compliance requirements.
AWS Compliance
In AWS, the primary tool for helping to enforce compliance is Audit Manager. Audit Manager is an optional service that AWS customers can use to collect information from across their environments and automatically assess whether workload configurations align with specific compliance requirements.
Audit Manager offers preconfigured rules to check compliance with popular frameworks, like GDPR and PCI DSS, but you’ll need to create custom rules in order to enforce less common frameworks or an internal compliance program.
More generally, you can use AWS CloudTrail logs to monitor your environment. But because CloudTrail itself isn’t designed as a compliance solution, or even an advanced security monitoring tool, you’ll typically want to ingest CloudTrail logs into an external auditing tool to use the data to greatest effect.
Azure Compliance
Unlike AWS, Azure doesn’t have a centralized auditing tool, but it does offer a sophisticated logging architecture. By properly configuring and analyzing Azure logs, you can track compliance across your Azure environment.
Here again, you’ll most likely want to use an external auditing tool to get the most value out of Azure logs for compliance purposes. Azure’s native monitoring services, like Azure Monitor, are designed to help manage application performance and availability, not enforce compliance or automate auditing.
Google Cloud Compliance
Google Cloud has an audit logging service that businesses can use to generate audit trails. The audit logs record information about which actions were performed within cloud environments, when they took place, and who issued them.
The major limitation of audit logging in Google Cloud is that it doesn’t audit your workload configurations. It just allows you to track activity. Thus, you’ll need to use external tools if you want to ensure that IAM rules, network configurations, and other parts of your environment are set up in a way that aligns with your compliance requirements.
Cloud compliance and governance can vary widely from one business to another, and from one cloud to another, depending on the compliance frameworks at play and the types of workloads the business runs. However, all cloud compliance strategies should be oriented around automatically and continuously scanning both configuration files and logs to detect violations of whichever compliance policies a business is required to meet. By finding issues quickly, businesses can correct them before they lead to compliance fines and/or security breaches.