By: Scott Schwan
Not so long ago, CIOs might have struggled to persuade CEOs to move to the cloud. Not anymore.
Thomas Siebel, the founder of Siebel Systems, has observed a major shift in the way CEOs approach technology. Previously the CEO would have been only peripherally involved with IT decisions. “What I’m seeing now,” he writes, “is that, almost invariably, global corporate transformations are initiated and propelled by the CEO.”
He doesn’t think CEOs have suddenly developed a keen interest in software-defined networks and AI at the edge. Rather, they’ve taken to heart warnings like the one outgoing Cisco CEO John Chambers issued at the company’s annual user conference. In comments widely reported at the time and often repeated since, he predicted that 40% of businesses would fail over the next 10 years, and that the survivors would be companies that embraced technologies like big data, mobile devices and most of all, the cloud. CEOs have embraced Chambers’s message and others like it, and adopted a new call to action: “Go digital or die.”
With a mandate from the top, enterprises are all-in on the cloud. For the business, it’s a revolution. But for security and compliance professionals, it’s something a bit different: a necessary step, to be sure, but also the biggest challenge of their careers.
Facebook famously advised its employees to “move fast and break things.” That might be fine for engineers, but the job of security and compliance professionals is to ensure that best practices are followed, and things don’t break. The cloud makes that vastly more difficult.
Part of it is the sheer number of different cloud services and settings to audit. Decades ago, when client-server deployments first arrived on the scene, compliance pros suddenly had to account for a profusion of new endpoints. Anything that could connect to the server —and the very mechanisms for connecting—needed vetting. Later, in the era of server virtualization, every blade in the data center could house several virtual machines. A decent-size business might now have to worry about compliance not just across hundreds of servers, but thousands of virtual devices.
As hard as that was, it doesn’t come close to the difficulty of managing compliance and security in the cloud. The promise of the cloud is infinite scale. Run anything you want, any time you want, for however long you want, and in any quantity you want. In the cloud, auditable processes run not in the hundreds, but in the hundreds of thousands and millions. When developers want to prototype a product, they don’t requisition a server (which at least leaves a clear paper trail). They just create a virtual machine, almost invisible to the compliance team. With Docker and Kubernetes, they can spin up applications ad infinitum, knock them into containers and move them between regions and clouds at a whim. To complicate things further, the popularity of containers has encouraged developers to design applications as microservices, discrete bits of code that can run independently of one another, even on servers on opposite sides of the world.
So now businesses have a vast capacity to spin up applications that can be shipped and operated almost anywhere. Meanwhile, their developers are breaking traditional applications into tiny units and hosting them on a platform (the cloud) that obscures location and positively encourages them to move applications and data from region to region—whatever is most efficient.
It’s no wonder security and compliance professionals are struggling to keep up, and finding that decades-old best practices don’t apply anymore.
Consider the network diagram. In the past, when engineers sketched out a network’s footprint, the compliance team could expect it to remain reasonably stable. Not anymore. Now that teams are building with containers and infrastructure-as-code, network diagrams quickly go stale. Simply describing a network in a way others can understand has become an enormous challenge. That’s not to mention the challenge of keeping evidence up to date when teams are constantly changing security groups, access control lists, and all the other things that go into a cloud environment.
The burden of the cloud doesn’t just fall on the compliance team, either. Much of it lands on IT and the engineers. They’re the ones who have to gather evidence for the compliance team. While the compliance professionals try to wrangle an ever-expanding cloud footprint, the engineers struggle to pull data from their multitude of loosely documented systems.
It isn’t a sustainable way to do things, and it can’t be solved by brute force or by designing more efficient workflows. The cloud doesn’t operate at human scale.
The only realistic way to do compliance in the cloud is through automation. The creaky assemblage of tools compliance professionals have relied on until now—homegrown scripts, SFTP, shared Google documents, spreadsheets, and email—simply isn’t up to the job. There’s too much to manage, in too many places. There’s no time to do things by hand.
That’s why we designed AuditX from the ground up with automation and the cloud in mind. We realized that it’s not enough for a cloud compliance solution to run in the cloud. It had to tackle the unique challenges of cloud compliance and operate seamlessly in today’s hybrid and multi-cloud environments. Everything from evidence collection to reporting to documentation and project planning had to function with as little human intervention as possible.
At a time when even hard-nosed executives are charging into the cloud, it’s the job of compliance professionals to keep the business grounded and secure. It’s not an easy job, but that’s what makes it so important. Compliance and security pros know their company’s weak points better than anyone. But they can’t “walk the walls” anymore, inspecting every defense and ensuring every locked door is properly administered. They need tools like AuditX, purpose-built and automated for cloud compliance, giving them the power to find those weak points and shore them up, even in an environment where the walls stretch to the horizon, the doors multiply to infinity and nothing stays the same from day to day.