Deloitte Fortress - automated cloud configuration and compliance management has been saved
Deloitte Fortress - automated cloud configuration and compliance management
Cloud services are essential for businesses to stay ahead of the competition. Their fast and easy deployment gives them a key advantage over on-premises solutions. To fulfill companies’ security needs, automating key technical and organizational measures is the only way to leverage the cloud’s full potential while protecting critical assets.
Security challenges in flexible, state-of-the-art cloud environments
Misconfigurations - underestimated risk with major implications
All the market-leading cloud platforms, whether Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure, provide access to complex technologies in just a few mouse clicks. In the day to day, misconfigurations can happen due to mistakes or insufficient training, which can result in devastating consequences for companies and their customers.
One possible fallout is third parties gaining unauthorized access to sensitive information, such as personal or company data. This can result in considerable financial and reputational damage for companies.
Misconfiguring cloud and security functions seriously endangers the three essential security goals of confidentiality, integrity and availability. By using automated scans, attackers can look for and exploit these vulnerabilities to gain access to data and internal company networks, or carry out further attacks against the company and third parties.
- 70% of cloud security threats are due to misconfigurations providing unlimited access.
- 95% of cloud security incidents are traced back to human operating errors.
- 68% of the companies surveyed see misconfigurations as the greatest cloud security threat.
Contemporary reaction time through automation
Tackling security gaps generally involves multiple steps, such as identification, evaluation, analysis and the ensuing reaction to an incident. However, the quick and easy provision of cloud technologies demands a more efficient response. Threats arising from misconfiguration, among other things, must be immediately identified, dealt with and applied to the entire cloud environment.
As manual processes cannot achieve the speed and efficiency required, we recommend that companies leverage the flexibility of the cloud environment and minimize manual user intervention. Automating relevant processes such as enforcing compliant configurations not only boosts security, but also allows companies to access the full potential of cloud environments.
- Security incidents are often identified hours or days after an incident
- Just a few minutes can be enough to steal business-critical data
Compliance management as integrative approach
To comply with regulatory and organizational requirements, companies must take various standards and best practices into account in a comprehensive IT security concept. Their cloud services must be seamlessly integrated into existing frameworks - otherwise they cannot ensure compliance with national and international standards and laws, such as ISO 27001, NIST or the EU's General Data Protection Regulation (GDPR). Non-compliance can result in a loss of trust on the side of customers and suppliers, as well as legal consequences.
To ensure their IT security compliance, organizations can follow the requirements of these industry-wide IT security standards to implement tailored measures (controls). Companies must establish a control framework that is tailored to the unique needs of their business. And, to guarantee continual compliance, this framework requires constant monitoring.
- Compliance is essential for customer confidence and to meet regulatory requirements
- Violations are subject to penalties of up to EUR 10 million or 4% of annual sales
- A uniform and tailored control framework is vital
Misconfigurations corrected, almost in real-time
Integrating Deloitte Fortress, thereby establishing a solid control framework, enables cloud users to address all these challenges efficiently. Configurations that we recognize as secure are confirmed with our clients before they are automatically implemented in their cloud environments. We also support our clients to define and apply appropriate settings.
The bedrock of Deloitte Fortress is a protection requirement analysis tailored to our clients’ security needs, performed in advance for all relevant cloud services. This ensures all relevant cloud configura-tions are adapted to individual security requirements.
One straightforward example is differentiating applied rules between test- and production environments. After the desired configurations for relevant cloud services are defined, they are automatically applied within 2 minutes - whether during the initial setup or for changes to services already in operation.
When a cloud storage is configured, its encryption is not switched on and its data flow is not limited to internal networks.
With Deloitte Fortress:
- Encryption is turned on automatically
- Data flows are restricted to previously defined IP addresses/ranges
Comprehensive and transparent compliance management
Our support services that define suitable configurations go one step further. Our technical controls selection is based on a broad framework of various IT security standards and industry-established best practices. This enables the direct assignment of regulatory and organizational requirements to rule sets that are applied automatically, allowing our customers to achieve and trace compliance with all technical controls for the entire cloud environment.
Deloitte Fortress’ freely configurable dashboard shows which technical rules were enforced within the respective cloud environments in a transparent way. This not only provides organizations with an overview of automatically resolved vulnerabilities but also enables them to trace compliance with standards of choice and to prove it in an audit.
Our customers can also use this information to identify their employees’ training needs in a systematic way. The knowledge base, which we can establish if needed, provides each employee with tailored information. This allows companies to achieve the most important non-technical requirement of many IT security standards: efficient and targeted employee awareness training.
After a misconfiguration is made, a secure configuration of a cloud storage defined in advance is automatically carried out:
- The originator receives an email with reference to a knowledge base entry
- The violation is shown on a dash-board with reference to:
- NIST 800-53: AC-19(5),SC-28
- HITRUST: 06.d-5,06.d-6
Deloitte Fortress functionality and components
Deloitte Fortress’ secure configurations and compliance scanning are fully automated and performed almost in real-time, efficiently supporting the cloud services’ protection mechanisms and reducing the burden of IT administrators. If a misconfiguration is automatically corrected, the initiator receives an email notification of the incident. These notifications can also include references to relevant knowledge base entries and policies, if desired.
Click here to enlarge
As only cloud-native services are used to implement Deloitte Fortress, only two components are required: an event hub and a serverless function. The event hub registers every creation and change event and then compares it with implemented rule sets and configurations that align with compliance requirements. If a configuration violates a control and/or rule, the implemented serverless function will automatically correct the misconfiguration, submit information to the central dashboard and optionally create a ticket (e.g., in ServiceNow) as well as notify the initiator.