Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Blog Feed Post

Compliance in the Cloud | @CloudExpo @DMacVittie #DevOps #Compliance

Our work, both with clients and with tools, has lead us to wonder how it is that organizations are handling compliance issues in

Our work, both with clients and with tools, has lead us to wonder how it is that organizations are handling compliance issues in the cloud. The big cloud vendors offer compliance for their infrastructure, but the shared responsibility model requires that you take certain steps to meet compliance requirements.

Which lead us to start poking around a little more. We wanted to get a picture of what was available, and how it was being used. There is a lot of fluidity in this space, as in all things cloud. The fact that DevOps Security plays into the cloud compliance model – particularly in dynamic cloud environments – makes it even more fluid.

We’ve found the following options are the ones most frequently being pursued in cloud deployments for industries that need to meet compliance requirements.

Not in the Cloud
This is the default, and a lot of companies are following it. That is not to say they don’t use the cloud, but that anything that falls under compliance requirements is not moved to the cloud. In its simplest form, only static web sites are moved out to the cloud, or only SaaS, where compliance burdens fall more heavily on the provider are moved out of the datacenter.

Using Guidelines
All of the major vendors have guidelines to compliance for the customers’ part of the shared responsibility model. Since AWS is the largest cloud provider, we’ll link to their section. This requires manual effort and maintenance of scripts, but allows compliance to closely match inside-the-DC compliance. This is arguably the most often followed model.

Outsourcing
There is a healthy consulting business around compliance in the cloud, and a fair number of organizations are using it. By asking someone whose specialty is the nexus of compliance and cloud, the organization gets the results required without burning up a ton of man-hours internally. This too is a popular option, and should your organization go in that direction, there are plenty of resources to help find the consultant/service that best suits a given scenario.

Compliance Tools
There is a growing collection of tools available to help ease the transition to Cloud based compliance. They range from tools that aim to lock down the application itself to tools that run through cloud vendor settings and validate that the clients’ share of infrastructure configuration is compliant.

Due to the rate of change that both agile and DevOps introduce, we see this type of automation as the direction of the future, but it is too early to say how soon in the future. The simple fact is that Security and Compliance teams were already overburdened, and automation is the only thing that will allow them to stay ahead of the curve. The question is how fast the tools can both mature and engender trust amongst those responsible for corporate compliance.

In the End, It Is About the Org
The answer is different for each organization, sometimes even for each application portfolio or even application. We’re just listing the most common paths teams take, so if you’re looking for more options than whatever is currently happening, you have a place to start. There is a decent amount written about each of these options, so researching the one that suits you should not be a problem.

More Stories By Don MacVittie

Don MacVittie is founder of Ingrained Technology, A technical advocacy and software development consultancy. He has experience in application development, architecture, infrastructure, technical writing,DevOps, and IT management. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

CloudEXPO Stories
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chief Architect at Cedexis, covered strategies for orchestrating global traffic achieving the highest-quality end-user experience while spanning multiple clouds and data centers and reacting at the velocity of modern development teams.
"We host and fully manage cloud data services, whether we store, the data, move the data, or run analytics on the data," stated Kamal Shannak, Senior Development Manager, Cloud Data Services, IBM, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the technology industry and how do they see opportunities for other women in their area of expertise.
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in this new hybrid and dynamic environment.
When applications are hosted on servers, they produce immense quantities of logging data. Quality engineers should verify that apps are producing log data that is existent, correct, consumable, and complete. Otherwise, apps in production are not easily monitored, have issues that are difficult to detect, and cannot be corrected quickly. Tom Chavez presents the four steps that quality engineers should include in every test plan for apps that produce log output or other machine data. Learn the steps so your team's apps not only function but also can be monitored and understood from their machine data when running in production.