Mohan Bethur, Subject-Matter Expert in Security Compliance, on the Importance of Compliance, Standards, and Regulations
In the article Compliance, Standards, and Regulations Are Your Security Friends, we talked about how standards give you guidance on what to do in order to proactively secure your cloud environment.
We spoke with Mohan Bethurstrong>, one of Cloud Raxak’s Subject-Matter Experts and the former Head of Security and Operations at Adobe for Adobe Managed Services, to get his perspective on the importance of compliance, standards, and regulations. Bethur was responsible for architecting Adobe’s digital transformation and the security configuration of the Adobe Cloud. He is a Certified Information Security Manager with expertise in security compliance, and has extensive experience in the application of FedRAMP, FISMA, HIPAA, ISO2700X, and other regulatory paradigms.
Q: What were some challenges you faced at Adobe when architecting its digital cloud transformation?
One of the primary challenges we faced at Adobe during its cloud transformation was not having a standardized automated configuration management policy in place for different systems on different platforms across environments. Since there was no baseline configuration and it was not automated, ongoing changes and modifications could not be detected when a package was upgraded or when a hotfix or new software was installed. This created a snowball effect and made some systems vulnerable early on during the cloud transformation.
Q: What is the importance of regulations (compliance or otherwise) in enabling secure cloud transformations? How did regulations help Adobe undergo its cloud transformation?
Companies often don’t know where to start when it comes to security on the cloud. Regulations provide a starting point for understanding:
- How security is different on the cloud (i.e. traditional security paradigms don’t work in the cloud)
- What security controls are relevant to your organization’s security and risk posture
The security processes and components described in regulations can be translated into actionable security controls. Implementing these security controls consistently across cloud environments is then a matter of automation and having a central view of the overall security state across environments.
For example, even though Adobe adopted a security-first approach (in contrast with a compliance-first approach), when the Adobe Managed Services team was undergoing the cloud transformation and doing an initial assessment to achieve compliance, a number of security gaps were identified. The security controls described in regulations like HIPAA and FedRAMP helped to address these gaps and improve the overall security posture.
Q: Do you find that companies aim for compliance first or for comprehensive security first? What are the benefits and disadvantages of each approach?
Companies naturally aim for compliance first because it can be required based on industry regulations. But while compliance standards like HIPAA or SOC2 provide frameworks that guide companies in defining a security and risk management strategy, they don’t guarantee that the organization is comprehensively secure. Since compliance is based on industry-wide standards, being compliant doesn’t provide overall security because the security requirements of individual companies vary.
If companies adopt a security-first approach, they can still use compliance standards as a starting point, but aiming towards comprehensive security puts these standards in context of the additional controls needed to properly address the company’s individual security needs. A security-first approach not only helps companies quickly achieve compliance, it also helps lower costs, minimize risks, and reduce security complexity. Some companies may believe that a compliance-first approach will be faster than a security-first approach, but the key thing to remember is that automating security allows you to have a cohesive security-first strategy that also speeds compliance efforts.
Q: If a company was not planning to undergo a cloud transformation just yet (so their IT infrastructure is on-premise), would compliance regulations still help with the mindset of proactive security?
Yes, even if a company is not ready to move to the cloud, compliance regulations would help change the company’s security mindset towards proactive security. At Adobe, the enterprise products were the first to be deployed in the cloud and offered as Managed Services as part of the Cloud Strategy. In order to achieve compliance and gain customer confidence, Adobe Managed Services proactively had a strong security strategy and program in place and also led the efforts to achieve compliance with HIPAA and FedRAMP.
Even though the on-premise infrastructure at Adobe was not ready to make the transition to the cloud, the corporate security and compliance team realized that proactive security is very important and necessary to achieving compliance. The compliance team at Adobe identified the common controls required for the on-premise infrastructure across different domains by mapping the frameworks of different compliance regulations to actionable controls.
Q: Do you have any advice for companies undergoing digital transformations using the cloud?
A common misconception most companies have when deciding to make a digital transformation to the cloud is assuming that the Cloud Service Provider (CSP) is responsible for security. Companies often overlook the fact that security is a shared responsibility between the CSP and the customer. Companies should understand that all their security needs are not addressed by the CSP. Companies undergoing a cloud transformation should therefore proactively assess and have security measures in place for comprehensive security. Having proactive automated security not only helps mitigate threats and minimize risks, it also helps companies swiftly achieve compliance.
We hope you enjoyed this guest highlight from Mohan Bethur, our Subject-Matter Expert in Security Compliance. Stay tuned for more articles and guest highlights on cloud security!