“You need to weave it in, in such a methodology so that it's simply generational, and it's simply the way that things are done,” Aaron Ansari, vice president for Cloud One – Conformity at Trend Micro. He added that it must not be seen as a roadblock with the potential “to slow down the velocity of the development and release process.”
Mark Nunnikhoven, Trend Micro’s vice president of cloud research, says that the sense of alarm that security messaging has been met with in the past has done a disservice to those simply looking to do it right, as has the idea that security is a problem to be solved.
“At the end of the day, it really just boils down to: Security is a set of processes and tools that help you make sure that whatever you're trying to build does what you want it to, and only that — nothing else,” he said.
2. Understand the importance of compliance up front.
Compliance can often be a frustration when it comes to cloud management, but it’s still something that shouldn’t be taken lightly.
Ansari characterized compliance as “the hammer or the enforcement arm of a federal organization or a governing body” that ensures steps are being taken to follow the rules. He recommended that businesses take compliance considerations seriously.
“No organization wants to go through the cheese grater that happens when you have to go through a compliance violation,” he said. “Your business never comes out the same on the other side. And the risk that’s tied to is simply too great.”
3. Build your cloud with compliance in mind.
In terms of the cloud, Falcon recommends building a cloud center of excellence or thought leadership team to help ensure that compliance concerns are being considered on the front end.
“It can come back and really hurt an organization if they don’t set that up properly the first time,” he said.
Nunnikhoven recommended that, when building a compliance strategy, automation tools such as posture management should be used as a way to help manage compliance over time. Then, when audits do happen, the organization is not trying to put together evidence of compliance after the fact.
“I've seen it with teams around the world: Everybody freaks out on Friday afternoon that the auditor is coming on Monday. And so, they scramble all weekend trying to build out this lovely report for the auditor to be like, ‘Oh, look, we're in compliance,’” he said. “All that worry and burden is taken away because you've automated it into your system.”
Insiders can watch the full roundtable discussion on cloud risk and security here.