Achieving Continuous Compliance at the Speed of Cloud

By Grant Asplund, Cloud Evangelist, published January 17, 2020

Imagine you’re in a small boat. You’re out in the middle of a pond and you have to keep your boat in precisely the same place, in the middle of the water. For compliance reasons, you cannot allow the boat to get more than five feet away from your designated spot. You’d likely drop your anchor, set it and forget it, and you’d be good to go!

Now, imagine being in a canoe. And, instead of a pond, you’re in the middle of a river. You have the same compliance requirement; you have to keep your canoe in precisely the same place in the middle of the river and you cannot allow the canoe to get more than five feet away from your designated spot. And, you have to do this without the use of an anchor. With nothing but a paddle, you need to keep the canoe in the same place adjusting for the current, wind, and all other conditions. Suffice to say, in order to accomplish this, you would have to constantly be working to adjust and maintain your position. You wouldn’t be able to stop, not even for two seconds, without being moved from your location and risk being out of compliance. Moreover, you’re being asked to do this without any training, experience or specific knowledge on how to handle a canoe, let alone, how to handle a canoe on a river. It would be significantly different than handling a boat on a lake or pond.

This is my analogy for the differences between maintaining compliance in an on-premise datacenter vs- a public cloud datacenter. Welcome to the world of ‘continuous compliance’. Despite the similarities (floating craft, on water) there are significant differences (shape of craft, moving vs still water, anchor vs no anchor) and the skills to properly drop an anchor in a still pond are far different than using a paddle to maintain your position on top of what is a constantly moving, changing surface.

In my second podcast, I had the pleasure to speak with Kevin McMahon, Senior Vice President and Chief Compliance Officer with Calpine Corporation, a +$10B power company headquartered in Houston, TX. Within two minutes after I introduced Kevin and asked my first question, Kevin replied identifying one of the biggest challenge’s organizations are grappling with when trying to achieve compliance in the cloud.

“I think what you’re seeing in the cloud is a completely different skillset than potentially you had for managing your datacenter…”

Hence my analogy of being in a canoe with only a paddle, on constantly moving water, and trying to stay in one place…it’s a completely different skillset than dropping an anchor from a boat on a still pond.

Albeit, many of the differences are nuanced however, this is one of the keys to understand when using public cloud.

The most immediate consequence of not properly training your teams on the cloud is, they will continue to use and work with the cloud the same way they worked with their on-premise datacenter. This means doing things like opening ports for convenient access or embedding passwords in code for easy recollection. These actions can be catastrophic in the cloud. This may be why Gartner has publicly stated, “Between now and 2022, at least 95% of all public cloud failures will be the customers fault.”

With regards to maintaining compliance in the cloud, it’s critical to appreciate the differences between the cloud and your on-premise environment. The cloud requires ‘continuous’ interrogation and assessment of your environment in order to maintain continuous compliance.  What exacerbates the challenges is the elastic and ephemeral aspects unique to cloud computing.

Regardless of your specific public cloud environment, a great starting point for you to begin building your own automated, continuous compliance architecture and plan is the eBook we published together with AWS titled, “AUTOMATE YOUR CLOUD COMPLIANCE JOURNEY IN 6 STEPS”.

As you will read in the eBook, it is essential to fully understanding the ‘Shared Responsibility Model’ of the cloud. Very simply bifurcated, it is ‘IN and OF’ …you are responsible for the security ‘IN’ and the cloud providers are responsible for security ‘OF’ of the cloud. The eBook goes on to suggest “Organizations are challenged with securing these environments and scaling their security controls. Cloud Security Operations teams are unable to keep up with deploying, maintaining, and updating security policies across each environment.” Additionally, the eBook continues, “…it can be difficult to remediate misconfigurations before a breach occurs due to the dynamic nature of the cloud environments.”

The six steps detailed in the eBook are:

1. Gain Visibility

You cannot secure what you cannot see so obtaining visibility is crucial to determining how environments should be protected.

2. Select Compliance Framework and Scope

After evaluating the landscape of your environment and current security posture, you can begin building a new compliance program.

3. Evaluate Initial Results and Plan

Assess, Exclude, Customize

4. Monitor Your Continuous Compliance Program

In order to transition from ad-hoc assessments to a continuous compliance process, you need to run them on an ongoing basis and set up real-time notifications for non-compliant resources.

5. Automate Remediation

Automatic remediation should start with addressing the most important findings. This can include closing public-facing security configurations or enabling encryption on storage.

6. Reporting and Auditing

At this point in your compliance journey, your focus should be on maintaining up-to-date reports.

Before you dive in and begin building your Automated Compliance framework, Kevin strongly suggests you make sure you have the expertise required to be ‘fluent’ in the cloud. He admits, the speed of business, and the pressures and demands to move into the cloud and adopt new technologies like containers and Kubernetes is immense. And implementing advanced functions such as cloud formations and functions means companies often have to seek cloud expertise outside of their company. Alternatively, there is an abundance of both free and for-fee cloud certification training available from various organizations (SANS, ISSA, ISACA) and from the cloud providers themselves.

With a cloud certified team, you’ll be ready to sail the IaaS seas and make full use of the massive capabilities at your fingertips. And, with an automated compliance framework in place, you’ll be able to ensure smooth sailing…especially when your auditors hop aboard!

Subscribe and listen to all my TalkingCloud podcasts here:

TalkingCloud is available in Apple Podcasts, Google Podcasts and Podbean at