For many, the combination of the words multi-cloud and compliance come with a deep sense of foreboding. Storing data in multiple locations to ensure that you’re meeting local and international regulation is just one example – and one that can bring with it many issues and extra work. Combine this with the fact that you may now have just added cloud environments alongside your physical data centre and the complexity continues to increase. Luckily there are ways to simplify multi-cloud compliance in this multi-cloud world where small changes and advanced planning can enable you to ensure compliance and save stress when the auditors come knocking.
Here is a quick rundown of the steps you can take when planning a multi-cloud existence or changes you can make if you’re already there.
Choose the right clouds
The best part about the move to the cloud is that you aren’t doubling the size of your problem. Depending on your provider and solution, they will maintain the underlying infrastructure and core service AND tell you which compliance standards they meet. This means when you’re picking your cloud, you just need to ensure that the provider meets your requirements and be comfortable that they are taking care of the basics.
However, now you’re in a shared responsibility situation. Your provider is ensuring that the infrastructure and elements of the platform are compliant but you’re still responsible for controlling access and ensuring the compliance of the configuration and workloads you run within the platform.
Cloud providers openly publish the compliance certifications that they have, so provided you know the regulations you need to meet, you should be able to find the right cloud for you. Follow the links below for the latest compliance certifications held by the some of the major vendors:
I stated at the top of this post that adding cloud services can make achieving compliance easier. When you continue to retain an on-premise, or physical data centre, you are now responsible for maintaining standards and controls across both sides of this hybrid cloud environment.
A great way of simplifying this step is to use a cloud platform that more closely aligns to your existing data centre infrastructure such as VMware Cloud on AWS. This leverages skills and process you may well already have within your existing team and their Cloud Console provides a unified view of your IT infrastructure that enables you to track and report on compliance from a single point.
Just keep patching
Keeping current with your patching isn’t just important for compliance reasons, it will often increase stability, as well as provide performance and efficiency gains. If you keep up with patches, either as released, or based on an agreed schedule, it doesn’t have to be a painful process. Continuing to use VMware as an example, using VMware Aria Suite Lifecycle, means that then you don’t have to patch manually, not only saving time but also eliminating human error. The tool also gives you a centralised view of your environment enabling you to monitor patching status, ensuring that you are always in line with your compliance standards.
Another option is to use one of the specialist managed services companies that provide Patch Management as part of their service. This ensures you’re always current and compliant without needing to prioritise limited internal resources on routine activities.
Tackle Common Vulnerabilities and Exposures (CVEs) as they come in
While it is always good practice to maintain a routine patching schedule, an unfortunate reality of technology today is that information security risks and vulnerabilities can be identified at any time with fixes or workarounds following quickly after.
The key here is to ensure that you are keeping on top of CVEs as they’re reported. Leaving your platform exposed once the vulnerability is published rapidly increases the risk of compromise and subsequent business impact.
Each vendor is different, but in the case of VMware, advisories are published via an RSS feed and you can sign up for email notifications too. If you run a tool such as Runecast, the latest CVEs are displayed in your dashboard, and it highlights CVEs that your environment are vulnerable to.
Knowing when there are patches available that are relevant to your infrastructure is the real trick for internal teams and Managed Services Partners (MSPs) alike – CVEs help here.
Here are a few to keep an eye on:
Check your processes
You and your team are only as good as your processes. Ensure that any issues identified are recorded and acted upon. Document processes to ensure others can follow them if necessary and carry out regular reviews.
Ensuring that the configuration of your environment is captured and maintained as accurate is important. These processes solve key person dependencies as sometimes team members are unavailable, and having a configuration reference mitigates against any loss of knowledge.
Some compliance standards require that processes are thoroughly documented and followed to the letter too, so keep that in mind.
You and your team can only be as good as the processes you follow and the actions you carry out.
Ensure that:
- processes are documented and reviewed on a regular basis
- configuration of the environment is documented and maintained
- all key processes and activities are carried out in a consistent manner and that corners aren’t cut
- any issues identified are recorded and acted upon
Missing any one of these could result in a compliance failure, and having a well-documented process framework reduces the risk of key person dependencies, as others can follow them should the need arise.
Keep continuously compliant
One challenge with compliance is keeping track as rules, recommendations and best practice change. If you don’t keep an eye on applicable regulations and vendor guidelines, it is easy to drift, increasing your operational risk. It can be difficult with a single environment, yet managing across multiple clouds and physical data centres once again multiplies the complexity.
Runecast is an easy to adopt tool that scans your infrastructure and reports compliance against a number of industry and regulatory standards as well as vendor best practices Runecast can also advise which parts of your environment require patching or updates, using a straightforward traffic light system and priorities to help you plan your corrective action.
Conclusion – can you simplify multi-cloud compliance?
Out of the box, the many moving parts across a hybrid and multi-cloud environment means that maintaining ongoing compliance can seem an endless task. By planning ahead, and employing the right tools and processes, keeping on top of things can be made more straightforward.
If you have already drifted too far and either the path back to best practice is unclear, or your teams need to focus on business change, then the best step may be to get some help. Xtravirt can help you understand the current state of your environment, support a program of corrective action, or support your routine maintenance activities. For those who need complete peace of mind, a Risk and Compliance managed service can provide all of these along with monthly compliance reporting providing ongoing evidence of effective controls.
If you are starting out on your hybrid or multi-cloud journey and want to simplify compliance during those early steps, why not consider an option such as VMware Cloud on AWS to get you started? It can accelerate the journey to hybrid cloud while also serving as the start of a multi-cloud strategy.
Hybrid and multi-cloud environments are quickly becoming the de facto choice for organisations, but it is vital that you are compliant. The good news is that it might not be as hard as you think.