Compliance – com·pli·ance
/kəmˈplīəns/ – “The state or fact of according with or meeting rules or standards.”
In today’s environment, it is hard to escape compliance. Regulated industries like government, healthcare, and financial services have lived with it for years. It may also be oriented around a regional context like the EU law of General Data Protection Regulation (GDPR). There are other organizations that use these standards to provide a benchmark to measure their own posture and configuration. Whatever the drivers may be for an organization, their ability to measure and report against these frameworks can require significant investments in time, human capital, and expertise. In addition, adherence to these standards allow or block the ability to conduct operations within market segments thus having direct revenue impacts. Finally, for some organizations that are already operating under a compliance requirement, the penalties for non-conformance can be substantial in some cases, exposing the enterprise to legal or other penalties.
Compliance teams are sometimes situated at an intersection between legal, security, and IT departments. Often, they do not have direct access to the IT infrastructure they have to evaluate. They may need to open tickets with central IT, obtain reports and then work through the various and varied controls within relevant compliance frameworks to the enterprise. This process, which creates dependencies between teams, also creates constraints and potential prioritization conflicts. For example, an already small central IT team may have a large and urgent upgrade project that needs to be accomplished, yet they also have to balance the request from compliance to query and deliver the information needed for a mandatory quarterly audit. These resource choke points can create delays, organizational stress and interdepartmental conflict.
Enter the world of public cloud. In this series, we have discussed themes of the public cloud such as velocity, scale, and elasticity. We have seen how these benefits also create challenges for multiple groups within the organization. Teams impacted by public cloud during this transition is the risk management or compliance team. The level of effort required to measure relatively static traditional IT environments against regulations can require hours or days. Factoring in a highly dynamic environment of public cloud with its idiosyncrasies, ephemeral environments, complex IAM and dynamic networking and storage constructs, compliance teams certainly have their work cut out for them.
Cloud Native Application Protection Platforms (CNAPP) typically expose data sets that are automatically mapped towards industry standards such as CIS, SOC, NIST and others. Thus, the solution can be extended to the compliance and risk management team for the same investment, lowering costs and overhead for the enterprise as a whole. The key is to ensure ease of use, and the ability to update and report on demand for compliance in even highly dynamic environments. In order to do this, the solution must support:
- Compliance-focused roles within the platform that allow members to create, manage and run reports against public cloud infrastructure without the need for Central IT intervention. This helps to reduce organizational friction.
- The ability to map findings to native control(s) for each framework being tracked. Preferably, this mapping is pre-built and maintained by the provider of the tool.
- The ability to exclude portions of the cloud estate from specific compliance evaluation (e.g. evaluate production for NIST controls, but resources with “development” tags are ignored).
- Continuous reporting and alerting on new asset deployment(s) that violate compliance without having to manually pull a new query.
- The ability to customize and create organizational-specific benchmarks, and ignore or resolve findings that are not applicable, or are being ignored for a legitimate, agreed-upon reason.
- Provide specific remediation guidance to responsible service owners in formats native to their tools and workflows.
Putting Information into a Compliance Context
Zscaler Posture Control extends traditional configuration along with identity and entitlement data to the risk management and compliance teams. Putting this data in the context of compliance within a unified platform approach reduces the time required to audit and report on public cloud-based infrastructure while eliminating the need for separate compliance-focused toolsets. Reducing audit preparation time combined with automatic reporting on newly deployed assets allows risk management teams to operate at the speed of the cloud independently from traditional central IT or a cloud operations team.
Please check out the other parts of this series as we examine the requirements of other teams within a public cloud enterprise. We will continue to examine how Zscaler is designing platforms from the ground up to address those requirements while reducing the manual stitching together of individual point solutions, lowering costs for customers while delivering critical insights in an ever-complex multi-cloud world.
See the power of Zscaler Posture Control with our free cloud security risk assessment.