Compliance in the Cloud: Q&A Webinar Recap

On April 25th, I had the pleasure of speaking with Ryan Buckner, Principal at Schellman & Company and Kevin Eberman, Director of Ops at MineralTree during a webinar on compliance in the cloud.

Using the cloud as our lens, we discussed the ways in which companies can better understand and navigate compliance. You can view the entire webinar or read our recap below.

Compliance in the Cloud: A TL;DR

Compliance is a big undertaking, and one that companies should be thinking about much earlier than they usually do. There are many drivers to becoming compliant, including:

  • Customer requests
  • Regulatory requirements
  • Sales opportunities
  • Mergers and acquisitions

As I discussed with Ryan and Kevin, a common issue when it comes to meeting compliance in the cloud is that companies don’t understand what it is their cloud provider does and what they have to do.

If your business is running on AWS, for example, you know they’re compliant with all the major compliance frameworks — HIPAA, FedRAMP, NIST, PCI, SOC, and so on. But this applies only to the infrastructure they provide to users, not anything the user does on top of that infrastructure, such as storing data and running applications. As AWS explains it, they provide security of the cloud, and their users are required to ensure security in the cloud. You can read about this in detail in this blog post.

Achieving Continuous Compliance in AWS

We had the opportunity to hear from Kevin about MineralTree’s experience meeting compliance on AWS. Being an accounts payable automation software solution, customers and prospects naturally ask about their PCI compliance. To validate their solution in the market and reduce objections during the sales process, the team opted to get a level 1 PCI attestation of their compliance. While AWS did handle a good number of requirements, there were still many more that he and his team had to meet.

Based on his experience, Kevin had a few key pieces of advice for companies embarking on a cloud compliance journey:

  • Be prepared early. Thankfully for Kevin, the founders of MineralTree are rooted in security, so it’s something the whole company understands and implemented early on. This went a long way in streamlining their compliance process, so his piece of advice to other companies is, even if you’re not sure you need to be compliant, begin putting best practices in place to make your journey a lot easier when the day does come.
  • Maintain ongoing security and compliance. An audit is a point-in-time measurement of how your organization is complying with certain controls and requirements. But it’s never too early to implement them, because many are basic and critical security best practices. Looking ahead, your threat and operating environments will always be changing, so to ensure that you’re continuously compliant and secure, you should maintain most, if not all, of the protections compliance requires to ensure your security posture is locked down.
  • Leverage the right tools. While tools won’t make you compliant, if you don’t have them, your ability to become compliant will be that much more complicated. For example, MineralTree is a Threat Stack user, and since our platform completely satisfies PCI requirements 6, 10, and 11 (involving intrusion detection, network and host detection, and monitoring of key files), this helped streamline their compliance process by meeting a broad range of requirements in one.

Common Compliance Pitfalls and Lessons Learned

Next up, we heard from Ryan, who has seen the good, the bad, and the downright ugly, when it comes to meeting compliance, and shared a lot of that with us on Tuesday:

  • Pitfall 1: Misunderstanding: Companies often misunderstand where they should start and end when it comes to compliance. Knowing what your cloud provider offers is a good start, but to be successful, you need a plan.  Ryan recommends starting with a gap analysis to see which areas you need to work on, and build off that. And as we explain in this post, done is better than perfect when it comes to compliance, so don’t try to boil the ocean.
  • Pitfall 2: Not foreseeing customer needs. If a customer or partner asks that you become compliant within 30–90 days (a common request) it’s very difficult, if not impossible, to do in such a short timeframe, especially if you’re not prepared. So as much as you can, anticipate these needs of your market and business ahead of time by preparing processes, policies, and technologies so that when the need for compliance does come, you can be in as much control as possible.
  • Pitfall 3: Not knowing the options. There is often more flexibility when it comes to compliance than you may think. Begin by understanding the scope. If a customer is asking you to become SOC certified, for example, are they asking about SOC 1 or SOC 2, and what services need to be compliant? Narrowing the scope can be a big time saver — and all that you actually need.
  • Pitfall 4: Not getting subject matter experts involved. Oftentimes security, compliance, and IT teams overlook the importance of developing relationships with subject matter experts (both internal and external). There will be a lot to prepare and put in place for a compliance audit, so it’s okay — and encouraged — to reach out to others for input and help.

Begin by identifying which stakeholders (e.g., executives, developers, HR, legal, sales, compliance consultants, etc.) you need involved, build those relationships early on, and when the time comes for compliance, bring them into the fold as early as possible.

  • Pitfall 5: Not thinking long-term. Oftentimes, Ryan sees companies implement very specific policies and technologies for one particular compliance framework (e.g., FedRAMP), only to have to reinvent the wheel and buy new products a year later when embarking on another compliance journey.

He recommends that companies instead think holistically about their long-term needs and how to bake in best practices that will meet a broad range of requirements, such as monitoring, logging, alerting, least privileges access, network segmentation, and so on. This way, you don’t have to reinvent the wheel every time. And working with a platform like Threat Stack that offers many of these under one umbrella can ensure that your security toolset is lean yet powerful.

The Reality of Becoming Compliant

In its simplest form, compliance is really just a matter of demonstrating things you should already be doing. Take PCI as an example. One requirement is to change your default passwords on network devices. That’s something every company should be doing regardless of whether they need to be compliant, so by simply following best practices, you can begin to meet compliance requirements early on.

As Kevin and Ryan explained during the webinar, by the time auditors or regulators show up for an audit, it’s already too late to implement new things. The requirements that HIPAA, PCI, SOC, and so on ask for are things you should already be doing, and the purpose of an audit should simply be to document what’s being done in a way that is meaningful for the consumers of the report.

Final Words

We’d like to thank Kevin and Ryan for their generous time with us on Tuesday and for sharing their best advice and lessons learned. To listen to the full discussion, be sure to watch the recording above.

If you’re interested in understanding what’s involved in becoming compliant in a cloud environment — without getting caught up in the details and complexity, download a free copy of the Threat Stack Compliance Playbook for Cloud Infrastructure.

It’s designed to help you understand the business value of compliance — especially PCI DSS and HIPAA — and to see that it’s more than checking boxes to satisfy the regulators.