[This article was originally written by Kim Singletary.]
In the wise words of CloudPassage’s Senior Director of DevOps Andrew Storms “I believe everyone craves for a future when security events are automated with full transparency from beginning to end.” He’s been contributing to DevOps.com on building agile security assurance. Just think what would happen if we could get to this security state today? What it would mean for operations and compliance?
If you track back the origins of most IT compliance standards and regulations they have emerged as a way to drive and enforce specific behaviors. It’s a way industries help reduce risk aspects, hopefully driving an improved collective behavior for all.
- PCI DSS goals were to drive a single security standard for all of the major card brands making it easier for merchants to strive to a common level of security compliance. Cardholder compromise and the risks to the payment brands (Visa, MasterCard, etc.) were already identified when PCI DSS 1.0 was released on Dec. 15, 2004. Meanwhile the TJ Maxx compromise exposing 45.7 million records of cardholder data was revealed in early 2007.
- HIPAA Compliance is an on-going effort to make the public comfortable with digitizing their healthcare and medical records and the continued privacy of their information. In the transition from paper to digital represents opportunities to get faster access to health information and improve clinical outcomes for individuals and for communities. In Aug. 21, 1996 the standards for ensuring the privacy of individually identifiable health information were released, yet as of 2013 Redspin Breach Report the total number of protected health records exposed has been 29.3 million.
But the reality of these standards is that there is continued audits to ensure that these standards are being followed and a means to identify addition risks to address. It drives an audit ‘event’ where everyone must collect and defend the actions from the last audit to prove good security compliance.
These standards were in place well before ‘cloud’ was a common term. Many have concerns over the security of cloud environments. But software-defined security can actually improve the situation and help to drive toward Andrew’s vision of full transparency. Feel free to read Andrew’s submission at DevOps.com. With agile development anyone who interacts with a system from Dev or Ops makes decisions and choices that can affect security and they can also be given opportunities to automate and improve security. When the agile security tools are available, like Halo, deputizing everyone to think more about security and actually integrate it into the dynamic flows and processes of development and operations will mean one thing. That on the flip-side auditing can become less painful in the end, well at least for cloud environments.
In the coming next posts I’ll discuss more about security and compliance and highlight where cloud and Halo can provide a new renewed approach to securing cloud workloads.