This post was originally published here by cliff turner.
Working in cyber security we’re all familiar with the need for IT compliance and know that organizations processing sensitive information (e.g. hospitals, banks) must adhere to a set of rules, standards, and processes protecting customer and user information. However as IT application development and deployment environments have changed dramatically over the last decade, uniformly implementing compliance policies varies greatly depending on the computing platform – physical servers, private cloud, public cloud or containers. The term “trust but verify” comes to mind. Organizations need to continually verify that they are within compliance and then trust that the system they have in place is working and catching any potential weaknesses. But often the constant compliance scans can become overwhelming, especially in siloed organizations where the sheer quantity of system controls can feel beyond a team’s reach.
If an organization hasn’t had to feel the painful sting of compliance fines (or worse – a breach), teams can often fall back on spot checks, hoping this will be enough to catch a problem before it bubbles to the surface.
Given the rates of change associated with today’s dynamic IT environments, manual controls are almost impossible to be implemented in a timely and effective way. Clearly another, more automated method to test, verify, and report on compliance controls is required.
Thankfully there is a better way, and you can begin by asking the following:
What if the compliance checks were implemented automatically?
What if every workload and application was checked every day for compliance?
What if every workload out of compliance generated a remediation notice to the correct team?
What if the workload was automatically remediated?
Automating compliance from the start removes the guesswork, spot checks, and the age-old rush to gather your data before your compliance audit.
So let’s imagine that all systems were continually checked for compliance. No manual effort, no spot checks, no scheduled scan windows. Instead you’re checking on your compliance status from a single dashboard, in one global view. That’s the beauty of automated compliance. And to be honest, that’s the only way a business can truly protect their customers, and themselves.
These are the new industry best practices. Here at CloudPassage, we use Halo, our automated cloud workload security platform to monitor our own compliance.
To monitor compliance with Halo we follow these three simple steps:
- Copy the pre-built security policies to your account (configuration, vulnerability, file integrity, account audit, hardware and software Inventory, firewall)
- Install Halo agent
- Collect compliance data
It’s that easy.
Halo checks all of our boxes. It works in every cloud environment (public & private) as well as on physical servers and VMs. Halo can integrate with any GRC or Compliance dashboard, making the compliance process second nature. That’s how compliance should be; it should bring to mind the image of a security blanket that envelops your organization, not an image of the frustrated auditor asking about a six-month-old issue you’re just now trying to fix.
Photo:LifeSpan
