Compliance in the Cloud - Effective Strategies to Ensure Success

Adam Kerns, Managing Principal, Commercial Services: Product Development, Coalfire

It's no secret that the principles, controls, and terminology associated with compliance can be a confusing alphabet soup that hinders an organization's ability to go-to-market and expand its customer base. The difficulties in meeting compliance objectives are not limited to organization size or types. Most (if not all) organizations struggle to integrate compliance requirements into their existing workloads and systems.

Since joining Coalfire in 2016, I have worked with numerous SaaS-based organizations to achieve compliance within their existing products and systems. I discovered that organizations with the highest degree of success understand that the path to compliance must be deliberate and well-planned.

To do this, an organization must establish and empower an owner or champion who is responsible for reaching the targeted compliance objective (this may be a project management office (PMO), a center of excellence (COE), or a similar group). This group is also responsible for developing the strategic and tactical initiatives required to meet those objectives successfully. While this group performs many activities, the two that can have the most significant impacts on success are:

1. Develop a comprehensive strategy

  • Go all-in. Dipping your toe in the water does not work when it comes to compliance. A half-hearted attempt to start on a compliance project is the worst thing an organization can do as it can result in leadership losing buy-in, exceeding budgets, and potentially grinding the initiative to a halt altogether.
  • Create a 1-year, 3-year, and 5-year compliance strategy for your organization. Prioritize efforts based on input from your sales, marketing, and leadership teams. Doing so allows your organization to plan and design for compliance effectively.
    • Think strategically and act tactically - determine the future state of your organization's compliance needs and make decisions now that sets you up for success in the future. Even if your organization's strategy is to achieve authorization/certification with one compliance framework – organizations should have an iterative plan to lower costs and increase efficiencies for the activities and assets associated with this initiative.
  • Create a community within your development and product teams that promote collaboration, knowledge sharing, and transparency.
    • Development and product teams can be your biggest champions, so consult with the technical resources who are most impacted by compliance initiatives early and often in your process.
    • Decisions should be collaborative - include perspectives from all stakeholders involved and/or the teams the decision may impact. I have experienced many cases where corporate leadership or a group within an organization makes a unilateral decision that stalls compliance initiatives.
    • Encourage technical resources to seek implementation strategies and technical designs that consolidate toolsets, minimize resource needs, and leverages automation to drive efficiencies.

2. Shift left with compliance in your DevOps approach

  • One of the most effective ways to manage compliance for organizations is through their CI/CD pipelines and DevOps processes. A Gartner report titled 3 Steps to Ensure Compliance and Audit Success with DevOps (October 2019) provides organizations with an iterative approach to integrating tactics that effectively addresses compliance considerations within their CI/CD pipelines.
  • Implement shared repositories to develop, constrain, track, and distribute pre-configured modules and code that consider compliance and security from the start.
  • Utilize an automated architecture build that is certified against standard compliance and security frameworks allows organizations to unify their compliance initiatives and establish repeatable processes that significantly streamline current and future compliance efforts. The developed modules and code should leverage automation technology to demystify security and compliance requirements for technical staff. The objective is to minimize opportunities for user intervention or error.

Coalfire can help - check out how Accelerated Cloud Engineering (ACE) services support clients achieving audit-readiness in less than six (6) months.

Adam Kerns

Author

Adam Kerns — Managing Principal, Commercial Services: Product Development, Coalfire

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top