“It takes a multilevel approach to risk mitigation relative to compliance and even security,” explains Alam. “You have to dissect the application workloads and look at their behavior and make sure that when you send data across a network, you’ve got microsegmentation and you have a least privileged model, or better still zero trust, enabled.”
That’s a much more complicated challenge than managing a traditional data center, which IT and service providers can more readily protect and monitor. “It’s important to look at all of our IT resources and check them against the regulatory mandates, such as NIST [National Institute of Standards and Technology] and HIPAA and the EU GDPR requirements,” Alam says.
Without automation, though, organizations are reliant on a morass of spreadsheets, Microsoft Word documents, and mistake-prone manual processing to fulfill governance, risk, and compliance (GRC) tasks. “Compliance isn’t new per se, but the ability to automate your compliance and audit procedures is new,” Alam asserts. “There are a lot of point solutions that organizations are struggling to incorporate, and there is a lot of spreadsheet analysis going on. But we all know that cutting and pasting between documents is not an efficient way to do this.”
Maintaining compliance of a company’s assets may include public cloud, private cloud, multicloud, and traditional data centers or colocation data centers, adding more and more complexity, decentralizing administration, and potentially limiting visibility. Much can go wrong in the cloud, mainly due to human error such as misconfigurations. According to Gartner, 99% of cloud security failures through 2025 “will be the customer’s fault.”10
Public and hybrid clouds involve shared responsibility of infrastructure between the cloud services provider and the customer, but each organization ultimately is responsible for ensuring security and compliance objectives for its own data. That requires well-defined standards and controls for security and compliance as well as risk management to provide:
Visibility into hybrid and multicloud environments
Cloud security posture management
Risk mitigation
Continuous security and compliance risk monitoring
Audit and compliance management
Compliance today extends far beyond audit preparedness. It is an opportunity to converge business goals and security goals. But this requires automating the discovery of IT assets, assessing each against security and regulatory rules, and generating security posture scores.
