Compliance and Security in the Public Cloud: A Guide for Getting Started

Here at we work with a lot of different customers from the savviest public cloud administrator to those who have rich experience in traditional IT infrastructures but are just now dipping their toes into the public cloud.  Regardless of where you are in your commitment level to the cloud, the decision for choosing how to address your public cloud security comes down to build vs buy and various permutations in between.

Let’s have a look at this matrix and see what the challenges are.

Option 1: Build it yourself

The good:

  • Highly customizable. You own the requirements, so you can code whatever you want in order to get the outcome your organization needs.
  • Your choice of framework. Choose among open-source, prebuilt, or anything in between.
  • Your choice of operating platform: Server in the closet, public cloud, formal data center resources, laptop in your cube. You can map your platform to your current environment, budget, or any other factor that’s critical to you.

The not so good:

  • Extremely time consuming to plan, design, build, deploy, and maintain.
  • Can be extremely expensive over time depending on the platform you build and deploy on.
  • Difficult to maintain and support through revisions.
  • Custom build may not have good documentation. Fixes and changes can get very challenging quickly.
  • Must have dedicated team to support and maintain ecosystem in addition to doing the job it was built for (compliance and security).
  • May or may not conform to 12-factor app framework for continuous development and deployment.
  • Developing and maintaining software becomes a capital expense as the project grows. Lose the ability to fully deduct operating expenses in the account period cost was incurred.

Option 2: Buy ready-made

The good:

  • Many options to choose from.
  • Can buy specifically for your organization’s needs.
  • Support may be included or purchased should there be difficulty with operating solution.
  • Most likely a roadmap exists for future features and upgrades.
  • No need for customer to build and maintain on their own.
  • May have some ready-made or canned frameworks.

The not so good:

  • Not as flexible or customizable as build-your-own.
  • There are many options to choose from which may make choosing difficult.
  • It may have unintended access methods to your data like the use of agents or the filing of sensitive customer data in an internal database.
  • May need to purchase several solutions to meet compliance and security needs.
  • May not be as flexible on where the code runs.
  • Vendor/solution selection can be a lengthy and resource-intensive process.

Proponents of these two camps have very passionate supports each with their own merits.  Those arguing for best of breed (B.o.B.) like to implement applications independently so they can get the best solution for their enterprise.  Those who like a ready-made solution like system consistency and the business processes that go along with it.  There is another option:

Option 3: Find a good SaaS platform

The good:

  • No need for end user to have dedicated hardware or infrastructure to run.
  • Can access on demand.
  • Can application program interface (API) in/out to service your public cloud.
  • Simple pricing and payment model.
  • Easy to build customizations on to.
  • Can have support and even professional services to assist with extending the platform.
  • Can service more than one public cloud platform.
  • Nicely conforms to web-native applications.

The not so good:

  • Critical customer data may be stored on the platform’s shared service.
  • Platform may not have the right service level agreement for uptime and availability.
  • Some platforms have a steep learning curve for usability and extensibility.
  • Relying on an Internet connection subjects users to that class of speed and transfer rate rather than a dedicated data center’s potentially higher speeds.

What’s an IT professional going to choose from among all these options?

A platform that is extensible, didn’t require dedicated hardware, uses API’s and SDK’s to scan the cloud framework and had a solid API or tool to code against for customizations is a big win for many of the customers we’re working with.

The Evident Security Platform (ESP) is unique in the industry in that it provides several important features:

  1. Continuous and automated compliance, threat detection, and incident response. This fits nicely with the way devops/secops/techops run their business.
  2. ESP uses standard APIs and SDKs to communicate with public cloud infrastructures. NO sensitive customer data is ever held on the platform.
  3. No host based agents are involved so 3-15% performance degradation on host performance isn’t lost. You gain visibility without impacting performance and we can see many things that other agent based approaches cannot.
  4. Integration with log aggregators like Splunk or Sumologic as well as ticketing systems like Jira or ServiceNow among others to help with threat remediation. If none exists you can use Webhook.
  5. Extensible architecture allowing for the addition of other public cloud infrastructures.
  6. Powerful customization engine to allow users to write their own custom signatures to validate against a defined non-standard best practice.
  7. Out of the box compliance dashboard provides continuous state across all accounts. One-button reports with click-through detailed risk reports and remediation at your fingertips.

Why is any of this important?  By 2020, 95% percent of public cloud security breaches typically resulting from misconfiguration, mismanagement, missing patches and mistakes will be the end user’s fault.  This isn’t my humble opinion, it’s Gartner’s.  ESP is a great way to double-check your work when your organization is fast tracking public cloud adoption.  With the cost to businesses being as much as $20,000 per incident per day in lost revenues due to security breaches every customer needs to implement and integrate ESP into their workflow if utilizing the public cloud.  Not clear about possible effects on your business?  Read this and this.  We also invite you to give the Evident Security Platform a try and tell us what you think.  You’ll be glad you did.

About Alex Ramos

Alex’s first IT experience was 31 years ago doing data entry for the Naval Ship Missile Systems Engineering Station (NSMSES-‘Nemesis’). Since then his formal IT career spans more than 20 years solving customer challenges from the mid-market/commercial segment to the largest Enterprises representing companies including: DEC, Compaq, Hp, HDS, EMC, Dell and various startups along the way including: ClariNet Communications, NetObjects, and Bluearc. He is hyper-focused on his customer’s business needs and creative in finding ways to accomplish them. Before coming to he was a Senior Architect for Dell-EMC’s converged products and solutions division building hybrid clouds using converged and hyperconverged building blocks.

More posts by Alex

Tags: , , , , ,