Virtustream Blog

Is Your Cloud Platform Compliant AND Secure? Improve Your Cloud Compliance Strategy with a Comprehensive Security Approach.


in Compliance, Security, Cloud, Trust

Achieving compliance is vital to any business in a field that requires certifications to operate. Leading companies often work hard to maintain and achieve new compliance standards, which can bring huge benefits to their businesses and, equally, to their customers. While a compliance-focused approach can be advantageous from a business perspective, these efforts can also be detrimental to your overall security posture if extra care is not taken to understand your potential vulnerabilities.

Understanding a Compliance-Oriented Approach

Let’s consider what an organization does when remediating vulnerabilities using a compliance-oriented approach. For example, if a company is PCI DSS compliant, requirement 11 does not require authenticated scanning to be compliant. This allows the organization to patch the few vulnerabilities discovered from outside the system while ignoring all the internal ones. If an organization was only focused on compliance rather than security, this could be a great shortcut to take for certification, albeit one with very negative security implications.

To put this in perspective, let’s use the analogy of a house. If we study a house from the outside only, we may note that a piece of siding should be fixed, a window should be upgraded, or shingles should be replaced on the roof. However, missed in our observations will be the mold, warped floors, and unsafe electrical wires inside of the home. If we fixed the exterior, the house would look presentable, yet examining the inside would tell a very different story.

Record Future publishes a list every year of the top vulnerabilities they have observed attackers using to exploit systems. The 2018 list contained vulnerabilities mainly found in Microsoft and Adobe products. This reflects a calculated strategy by the attackers, since most businesses and organizations use products from both companies. If a company only reviews and remediates scans from a compliance-oriented perspective, they can miss the potential vulnerabilities in their systems that are most frequently exploited globally. Simply put, a company can be fully compliant, yet still find itself vulnerable to attacks.

Approaching Both Compliance and Security

Now that we understand the problem with a compliance-only approach, it’s clear that a smarter strategy would be to approach both compliance and security comprehensively. If there are lingering questions around which vulnerabilities to patch, my recommendation could not be more straight-forward: Patch all vulnerabilities that matter, period. There are vulnerability management companies, as well as others in the industry, that have done tremendous work to help prioritize patching from a risk perspective. One example of this is Predictive Prioritization from Tenable. This approach allows organizations to effectively prioritize patching to reduce risk based on the constantly evolving landscape. With an average of about 43 new vulnerabilities published daily in 2018, this approach to address true critical vulnerabilities can help organizations meet compliance requirements while at the same time securing their environments most effectively.

Virtustream is dedicated to combining our security and compliance best practices to ensure that your business operates successfully and safely. Our goal is to establish and build trust with each of our customers, no matter the size, by protecting their sensitive, mission-critical data while keeping our cloud compliant and secure.