☁️ Compliance Pt. I
This post is about my experience while covering the infamous cloud shared responsibility model. I'm writing this because it's 2021, and people still often assume because they're utilizing a IaaS/PaaS offering it's secure! Well, I'm here to assure you there's a little thing called the shared responsibility model that you may have yet to hear about...
Lets talk about thought processes for a moment. When you lean into security as a focus, the first couple topics that click are probably around patch and/or vulnerability management. You may then move onto attack surface, and therefore asset management. No matter what tool(s) you choose, these concepts can be defined in a pretty little wrapper often referred to as "Compliance" which can be described as a unit of measure used to define how secure an environment or infrastructure is. It's great for anyone topic to pick up and learn upon as it exposes you to scenarios and controls about truly securing your resources.
When it comes to compliance products and hardening, you'll quickly find there aren't many 3rd party solutions that deliver strict definition for compliance controls. And if they do, they're rather expensive to get off the ground with. The solution you choose to start with should often be native to your respective Cloud Provider, the following goes over what's available in both AWS and Azure for the time being.
AWS focuses on leveraging 'Config' for compliance and a specific feature within the service called 'Conformance Packs' to provide recommendations on how to improve your Posture across all services you utilize. Each of these Packs includes a set of compliance controls and implements checks for the compliance standard you choose to work towards achieving. It's also worth noting this is great for cleaning up a messy account as you'll be presented with specific checks that apply to each individual resource running in a given service. If your company/employer utilize AWS is any capacity it's worth reading additional information.
Azure's main focus for compliance related resources in within 'Azure Security Center'. It serves as a general posture tool for your Azure subscription(s) and provides an ease of consumption dashboard for getting a general idea of what's running and what configuration changes should be made in order to ensure you follow Azure's security best practices. There are also additions available within the product for specific compliance standards were are referred to as 'Security Policies'.