Compliance audits are usually a scramble. Your systems engineers spend weeks pulling together logs and documenting processes, taking time away from important projects and fixing systems that have “fallen out” of compliance over time.
What if you could guarantee that your system never goes out of compliance? What if that same tool could track changes to your system, roll them back if necessary, and then build an entirely new system with the same configurations if needed? This is the power of continuous compliance and its key toolset: configuration management.
Compliance on AWS
The Amazon Web Services cloud can reduce both the complexity and cost of compliance: It has built-in monitoring tools, encryption is essentially a check-box, and most of the physical datacenter safeguards are taken care of for you.
The trouble is, the real cost of compliance is not monitoring or encryption. The real cost is architecting an environment that meets your compliance objectives (and that can mean spending months figuring out how to assemble AWS’ tools for HIPAA or PCI compliance or combing through AWS’ whitepapers), hiring an auditor to make sure you did it right, and then maintaining compliance over time.
What companies need is continuous compliance: a set of procedures and toolchains that protect your system from error or unplanned changes, and proactively maintain the desired configuration over time. Unfortunately, this is not a pre-built SaaS tool that automates workflows, it is not a push-button security tool, and it is not offered by AWS. You need a custom set of configuration management scripts that build, enforce, and maintain security in your particular environment.
You can set up a HIPAA or PCI compliant AWS environment without configuration management. In fact, it may take you longer to set up a compliant environment with custom automation than if you just do it manually. But as your environment changes, operating systems are patched, access policies are changed, etc., is that being documented? Are compliance goals still being met on Day 200? Unless you want your GRC team checking every time you update your AWS environment, you are going to need a scalable, automated way to enforce configurations. And the good news is, configuration management is a robust, well-tested way to maintain configurations — and auditors love it.
Why Configuration Management is Your Best Friend
Configuration management is a 15+ year old technology that is used by the federal government and nearly every major enterprise team for datacenter compliance, and should be used equally heavily in AWS. When systems are complex, there must be an equally powerful set of management tools and processes to enforce and maintain configurations. Tools like Puppet and Chef are designed to do exactly that:
- Improve Transparency: You know exactly how every system is configured for security at any point in time.
- Increase Efficiency: You reduce the time and cost of deploying future systems; you do not have to rebuild security configurations or get them approved by security teams when they are “built in” to templates and bootstrapping scripts.
- Enforce Policies: Your CM tool regularly “checks in” to your system to make sure your baseline configurations are maintained, meaning your system never suffers from “configuration drift”.
- Reduce Manual Work: By centrally managing configuration, you discourage ad hoc work; any change made directly to the instance and not to the script will be overwritten when your CM tool runs anyway.
- Simplify Patching: Patches can be distributed across every system rapidly and with a complete audit trail of what was patched where.
- Auditors love it: You can tell them exactly how your system is configured, critical compliance features like log monitoring and archival are included by default.
In other words, this is a powerful toolchain that virtually “guarantees” security configurations are maintained across complex cloud environments. To learn more about exactly how to implement configuration management, download our white paper on continuous compliance.
Architecting for Compliance
AWS has done an excellent job producing documentation and sample architectures for HIPAA, PCI, etc. But we all know there is a long road to travel between documentation and a live system, especially if you want to also build in configuration management.
The alternative, of course, is outsourcing.
Managed service providers specialize in building a compliant AWS environment for you so you can focus on building applications. They have preexisting templates of compliant architectures that can be customized for your specific needs, and operational tools to ensure management and upkeep. The benefits of co-managing your infrastructure with an experienced vendor can be significant:
This is a sample chart with only a small selection of compliance tasks that a company must perform, and it describes broadly the services that Logicworks offers as an MSP; not all MSPs offer these services.
Some may be surprised to see that tasks like encryption or network design are a company’s responsibility in AWS; many falsely assume that AWS provides these solutions as a service. It is important to understand that AWS provides many of the tools you need to enable PCI, HIPAA, FEDRAMP, and other compliance objectives on AWS, but they do not configure these services. This is why AWS always talks about their Shared Security Responsibility Model; they are responsible for the compliance of the services included in their BAA, but you are responsible for how your environment is configured to use those services.
In other words, AWS provides check-box encryption for S3 buckets, but if you “forget” to encrypt a sensitive file, that is your responsibility. This is where an MSP can be very useful: first, they tell you how to architect an AWS environment according to best practices, then they do the work to configure it and make sure that those best practices are enforced. Savvy service providers will even put in guardrails to protect against bad behaviors, like making sure no personal data can be uploaded to an S3 bucket without encryption.
This level of automation is what AWS calls “DevSecOps,” and as you can see from this example, it has the potential to dramatically reduce your team’s manual work. Recently, we gave a technical webinar about the power of DevSecOps for PCI compliant companies, watch here.
DevSecOps and the Future of Compliance
The future of compliance is not in Excel spreadsheets and checklists. It is in security-as-code and governance-as-code, i.e. configuration management scripts that control complex systems, versioned and updated like any other piece of software.
In most systems, compliance is traditionally an afterthought. WIth AWS and configuration management, you have the potential to build a cloud that is compliant by design.
by Steve Zeller
VP of Business Development, Logicworks