It has never been faster or easier to get something deployed in the cloud. Every day, it seems that cloud service providers like AWS and Azure are delivering a slew of new services that make it easier for enterprises to move their workloads to the cloud. Unfortunately, security and compliance may be left behind. The cloud offers increased efficiencies and scalability, but organizations need to also pay attention to security and compliance requirements or they could put themselves at risk.
What does it mean to move both fast and safe to the cloud? You should follow a few fundamental steps:
1) Discover what is running.
Most companies have existing environments in the cloud, so it’s important to know what is running and where. The cloud provides APIs for querying what’s in your environment, and there are available tools to tell you about compliance issues already in the resources.
2) Deploy workloads through source-controlled automation.
Once you know what is running, you need to have repeatable processes for deploying and modifying workloads and storing the changes in version control. Infrastructure-as-code, of the latest technology trends, allows you to specify the exact configuration of your infrastructure. You also need a trusted system for version control such as GitHub, BitBucket, or AWS CodeCommit.
3) Regulate all changes through your automated channel.
After you’ve spent all that time and effort in building an automated deployment system, you need to make sure it is used. For example, if you continue to use the AWS Console to make environment changes, you will bring your environment to a non-compliant state really quickly. You need to lock down credentials and access to prevent changes outside of the trusted system. You also need a way to manage and mitigate infrastructure drift. Drift is defined as any configuration change that wasn’t made by your trusted system.
4) Make policy adherence a condition of deployment.
The last thing you want to do is ensure that you are only deploying infrastructure if it is free of policy violations. Policy can mean a comprehensive compliance regime such as NIST 800-53 controls, or it can be as simple as verifying that every resource has accounting data attached to it. The policy check process can be automated, or it can be manual where someone inspects files for violations before they are deployed. Ideally your policy constraints themselves are expressed as code that is checked into version control.
To learn more about how Fugue can help you follow these four steps, visit www.fugue.co.