During a recent datacenter automation demo, a customer asked me: “How exactly does compliance fit into the world of cloud computing?”
Unfortunately, there is no short and simple response. Too many variables come into play even when defining what it means for an organization to be “compliant”. It is all dependent on their industry. Organizations can face a wide range of requirements and issues, from both regulatory and operational compliance. To begin with, confusion still exists around quantifying the compliance and regulatory implications of cloud computing..
In general, cloud computing presents challenges for applying regulatory compliance best practices—regardless of the organization’s specific situation. The primary issue is that when IT personnel provision cloud services, they do not have the same kind of visibility into cloud application-infrastructure resources as they do with internally deployed traditional IT systems.
So what steps can you take to help maintain compliance when provisioning and maintaining cloud services? Here are four technical best practices you can use, integrated for use today with HP Cloud Management and leveraging on the broad software expertise that HP brings :
Maintain the existing configuration management plan — Compliance policies should apply to all systems, regardless of whether they are housed internally or with an external cloud provider. Maintaining compliance is simpler when you work with a cloud services platform that deploys operating systems using the same build plans, so that configurations are ”hardened” and associated with established patching and audit policies. Today, HP Cloud Management employs the use of HP Server Automation that has been seamlessly integrated for use with HP Cloud Service Automation.
Provision with multi-tenant firewalls — Firewalls are a basic functional security requirement. Unfortunately not every cloud service provider will clearly describe potential issues related to multi-tenancy, so make sure you confirm and test for this specifically. In an earlier blog, we highlighted HP Cloud Management’s integrated use of HP TippingPoint CloudArmour, it offers firewall zoning and segmentation to secure your cloud computing. You can find information on the ease of integrating to HP Cloud Service Automation on the HP Live Network.
Integrate log data — Although most infrastructure providers leave it to IT organizations to figure out, log management is key for tracking cloud infrastructure information. The cloud service platform needs to be fully integrated to enable oversight of provisioning and configuration logs with existing application performance management systems or event correlation software. This is particularly true, when being mindful of the “Unknown Unknowns” and how HP Cloud Management prevents insider and advanced persistent threats through the use of HP ArcSight Logger.
Harden application and core operating systems on Virtual Machines — Virtualization machine images play a key role in cloud computing provisioning. They must go through a security hardening process to ensure that the core operating system and applications have been vetted and secured in a manner that minimizes security exposure and risk. The cloud enables rapid provisioning of machine instances, which can create issues of virtualization sprawl that potentially increases attack exposure if the core machine image has not been properly hardened. As the concept of the “infinite perimeter” attempts to describe, the stack should be hard enough that should the firewall or any piece of the security strategy fail, the core operating system and applications can withstand attack. The HP Cloud Management platform offers agentless monitoring of your IT infrastructure and applications with HP SiteScope software. We will soon provide a separate blog post on performance monitoring capability, so keep a look out for it. .
So far, we have taken a practitioner’s approach in taking practical steps towards enabling compliance for cloud computing space in the hybrid cloud space. For the rest of this blog, let’s look at how we change your game by automating for compliance via HP Cloud Management.
Create a multi-layer security and compliance strategy with HP Cloud Management
Security and compliance need to be built into every aspect of provisioning and maintaining a cloud services platform. When a business user procures IT, they should not have to think about security and compliance—and they probably won’t! Automation is a key to protecting your business from the excessive costs of pursing compliance, as well as the consequences of failing to attain it.
Compliance automation starts with a unified compliance strategy across your hybrid cloud environment. From continuity in compliance management, to quick and effective remediation, it is vital to have accurate reporting that facilitates addressing compliance challenges. HP’s approach to compliance automation is shown in Figure 1 below.
HP Cloud Management integrates with HP Cloud Service Automation and HP Server Automation, so IT organizations can leverage existing investments to easily automate security and compliance. Server Automation can deploy VM operating systems using pre-configured build plans and sequences. It also automatically maintains cloud service subscriptions over time, allowing users and administrators to check current compliance status and request remediation as needed. This gives you a peace of mind, while reducing operational expenses and allows you to free up resources for other mission critical areas.
Learn more about HP Server Automation …
Achieve a sustainable compliance with cloud computing, and create a multi-level security strategy that aligns to compliance policies and requirements and automates it using existing tools. Visit the HP Server Automation product page to discover what HP can offer your cloud ecosystem.