Cloud computing has become ubiquitous, but securing cloud infrastructure can be challenging. Many organisations struggle to maintain compliance in the cloud across regulations like HIPAA, ISO 27001 etc. Automated software tools can help enforce compliance rules and secure cloud environments.
Photo by Blue Coat Photos
If you’ve been a CTO or technical leader then you’ll know firsthand the complexities of securing infrastructure in the cloud. Although platforms like AWS, Azure and GCP offer scale and flexibility, they also introduce new challenges around compliance and governance. How do you ensure your organisation is meeting regulatory standards like SOC2, HIPAA, or PCI DSS?
This is especially an issue for SaaS providers: your customer is entrusting you with part of their security. When your customer is a business, that trust matters.
How do you enforce consistent security policies across an estate and maintain visibility into the compliance posture of your cloud infrastructure? Relying solely on manual processes and checklists can lead to gaps in coverage. Your cloud configurations are constantly changing, your teams are juggling multiple priorities, and you lack a single source of truth for compliance.
But, there is good news – there’s tooling to help monitor or enforce compliance continuously in the cloud. Rather than rely on periodic audits, up to date solutions provide real-time visibility through policy enforcement, configuration monitoring and advanced analytics.
Common risk areas
In our experience, SaaS cloud platforms on AWS generally have risk in 4 areas:
- Insecure credentials, especially when not combined with multi-factor authentication
- Roles and permissions that have a far wider scope than is necessary
- Infrastructure resources that are out of line with good practice or with company policy
- (AWS) account structures that are not configured to keep auditable data secure and inviolate
We can - and do - support customers with mitigating these and many other kinds of risks.
For example, we offer a security review that will highlight areas of concern and help you prioritise your remediation roadmap. We can also design and implement an AWS Landing Zone configuration (using AWS Control Tower, AWS Config and AWS GuardDuty) that will provide a security and compliance baseline for your accounts, organisation-wide compliance rules and almost instant notification of infrastructure resources that do not correspond to policy.
If you’re looking to get certified against a standard such as ISO 27001, I really recommend looking at the market for tooling early on.
You might be able to do an initial risk assessment or gap analysis using only Google Sheets or Microsoft Excel, but we’re pretty sure you’ll outgrow it. Computers are great at automating and integrating, and software that’s specifically designed to help you achieve and then stay compliant is available on the market - and as a service.
So, what’s in it for your firm?
Once you have the right solution in place, your teams can codify compliance rules as executable policies that are automatically used to check your cloud infrastructure. You gain the ability to detect the issues in real-time, while standardising controls and becoming ready for audit reports to be produced on demand.
In today’s complex cloud environments, automation is no longer just a nice-to-have. By implementing the latest compliance automation tools you can reduce your regulatory risk, prevent policy violations, and help your team focus on higher-value initiatives rather than repetitive compliance tasks.
Maybe it’s obvious, but staying in compliance all the time makes scheduled audits easy too: you were compliant at the last review, you’ve stayed compliant since then and have evidence for that. You’re still compliant.
While manual governance is better than nothing, modern cloud environments require automation to achieve efficient, consistent, and proactive compliance oversight. The risks and inefficiencies of manual cloud governance simply become too great. Time you save through that automation can be directed at improving actual security versus performing repetitive policy tasks.
Organisations that embrace cloud compliance automation tools can reap many benefits compared to those relying on manual governance processes. Here are some specifics:
Quicker response
You want immediate alerts on security findings or policy violations. Manual checks aren’t just more work, the feedback cycle is longer and the impact can potentially be that much bigger.
Policy guardrails can be applied automatically, providing continuous compliance monitoring versus the burden of undertaking periodic audits. Issues are identified in real-time rather than after damage has been done.
Prevention over detection
A pattern we often see is pairing up preventive controls with detective guardrails that alert when a required control isn’t in place. You need automation to make that worthwhile, but once you have it it pays off by cutting out rework and remediation. Although it’s frustrating for developers when a policy blocks someone from making a change, you get to miss out on all the repercussions from that change going through and contributing to an incident.
Even if full prevention isn’t feasible, extension tooling can instantly roll back unsafe changes.
Consistency
At a large SaaS business, standardisation matters. You might even have a central security function that wants insights into different products, value streams or business units. Adopting common tooling helps you codify and enforce standardised controls across contexts.
Manual controls lack consistency, and that adds to the effort on both sides for security reviews - both external and internal.
Built-in visibility
As well as reducing errors and notifying you about violations, you can see a picture of compliance. This is really helpful when you’re tracking a long term backlog of risk treatments and want to see what that means for your information assets, including those in the cloud.
Dashboards provide real-time insights into the compliance state across cloud environments rather than just point-in-time snapshots. You can use these to show to your colleagues - or your auditors - that you’ve got a clear picture of the risks you’re accepting right now. The same information also makes it much easier to prioritise your backlog.
On-demand reports let you demonstrate compliance to auditors, instead of scrambling to achieve compliance before regular audits.
Device compliance
When you do your risk assessment for ISO 27000 or a similar framework, you’ll almost certainly have picked out risks around the equipment your colleagues actually use. Device compliance is a critical part of overall cloud governance that is often overlooked.
You’ll get the most value out of automation and tooling if you use different treatments for physical equipment compared to cloud infrastructure.
For cloud infrastructure: build upon the tooling you already get from the infrastructure service provider. The more cloud-native an approach you take, the easier it is to tell a good story about compliance. All the good SaaS tooling options have cloud provider integrations and that’s a big part of their value proposition.
For actual hardware: you typically assign a device to a specific person, you want it wiped when they stop using it, and you want it returned. Your organisation can be exposed to risk through by unmanaged or non-compliant devices that are used to access cloud environments. Even if you deploy through CI/CD automation, this only shifts the risk: the device you use to access the automation needs protection as well.
On the other hand, you need to strike a balance. Lock things down too much and people can’t do their jobs well, or they spend too much time on getting valid changes manually approved.
Device management tooling can strengthen cloud governance in a few key ways:
Unified policy
You can create and enforce consistent device compliance policies across cloud, staff PC, mobile and even on-premise computing.
Once robust device compliance automation is in place, organisations can trust that the endpoints accessing cloud environments meet security standards. This closes a major potential blind spot in cloud governance and reduces overall risk.
Enforcing a baseline
Tools can check devices for required security controls like encryption, patching, anti-malware, etc. Leading solutions integrate with cloud platforms to restrict access based on a device’s security posture. Unsafe devices can even be programmatically blocked from logging into a cloud account, or to the most sensitive parts of your cloud estate.
Inventory reporting
If your customers are asking for compliance against a framework that thinks in terms of devices and inventories, unified tooling lets you deliver that with a signup and some set up. You probably won’t need to write any code or define an inventory process: it will just work.
Automate remediation
Remediate issues by pushing required configurations and security policies to endpoints that are out of compliance. This is best done for your PCs and for any on-premises systems you operate. For the cloud, there are other approaches that are built upon the idea of safely replacing systems when there’s a need, rather than fixing them in place.
Automate advice
Tools can provide users with detailed remediation instructions tailored to the specific misconfiguration that occurred to guide the process. This is a good fit for tech-savvy team members and for novices alike: the guidance is there if you’d like it, but if you know better, you can take your own steps to address the issue.
We have this set up at The Scale Factory and I think it strikes a great balance: we trust our consultants to know how to secure a laptop, and we verify this automatically to avoid pointless manual effort.
When manual remediation is required, tools can assign remediation tasks to specific users/teams and track them to completion. This helps coordinate remediation.
Fringe benefits
The kind of SaaS tooling we typically recommend to our customers provides more than the basics:
Collaboration features
The same tool that enforces your policy can support how you collaborate on defining it and publishing it. Chat, annotation, and documentation features allow teams to work together on remediation and maintain notes on issues.
Confirmation capabilities
Tools can validate when a remediation step is complete and policy compliant. Users can mark tasks as resolved, or can return work for review.
Task reporting
Dashboards aren’t just for infrastructure. You get easy visibility into open/closed remediation tasks across the cloud environment and where attention is needed.
Notifications
Emails and other alerts on remediation tasks that are open keep teams focused on closing gaps in a timely manner.
Workflows and triggers
Remediation can trigger approvals, change management workflows, or further automation via APIs. You can extend where you need to without needing to build or operate the core service.
With robust remediation features, organisations can promptly respond to compliance violations or security policy breaches and benefit from automation. This also provides assurance that tasks are completed.
Key vendors to consider
The TL;DR: here’s who you should check out.
Vanta
Vanta provide SaaS to define and manage information security policies. There’s a built-in AWS integration, a (light) AI automation to help you fill in vendors’ questionnaires, and there’s even tooling to handle the other side where you’re assessing your own suppliers (most security frameworks expect you to do this).
You can produce trust reports for your public website or on-demand for customers and qualified sales leads.
Not only that, but we can help you integrate Vanta into your AWS estate and your cloud compliance project.
SafeBase
If you want to show that you’re already compliant, and you don’t want a solution to help manage that compliance process, check out SafeBase. This has the tooling for NDAs, trust reports, and for integration with your sales teams.
It’s great for what it does. What you miss is the actual journey to compliance.
Kolide
If you use Slack, Kolide turns endpoint compliance into a conversation. You put an agent on your PC (and the Slack bot helps streamline that), and if all is well that’s the last you hear. If your device needs a security update or you’ve not turned on a control, Kolide can either make that happen or have a Slack conversation with the person the device is assigned to. As a business, you get to pick the approach that is right for you.
AWS Security Hub
Your AWS account comes with a compliance dashboard called Security Hub (you need to enable it, but that’s only one click away).
You can set up integrations for Security Hub to pull in data from Amazon GuardDuty, from Control Tower (the core of our SaaS Foundations product), from Amazon Inspector v2, and more. It’s a low cost option too; a typical bill for Security Hub is in the tens of dollars a month.
What you might not like is the “you can set up” part: it’s not done for you. AWS gives you a great toolkit of managed services that you can build into a compliance reporting and management system. There’s even an AWS Audit Manager that can capture automatic and manual evidence once you’ve achieved compliance.
Definitely not included out of the box, but a big part of the value you can get is the incident response automation. You can take this as far as you want, even to tooling that responds to reports of compromise by isolating the affected infrastructure and setting up a cloud forensics lab ready for use.
We like Security Hub for specific cases, but actually for a lot of SaaS businesses it’s not the first step. Ahead of using Security Hub, you’ll want to define the key risks to information security, show that you’re addressing them, and get a nice certificate to prove that to your customers.
If you have already started your compliance journey and are happy with existing tooling, but want a cloud dashboard that reports on incidents, security events and policy violations - this might be for you (and we can help show you how).
Designing effective systems security for your SaaS business can feel like a distraction from delivering customer value. Book a security review today.
This blog is written exclusively by The Scale Factory team. We do not accept external contributions.
