Guest blog by David Spark, Spark Media Solutions
“Compliance in the best case is a tough job to get through. The reality is once we start talking about dynamic IT, the cloud, mobility, off-network access, and so forth, it just exacerbates the problem exponentially,” noted James McCloskey, senior director, security risk and compliance advisory with Info-Tech Research Group in our conversation at the 2016 RSA Conference in San Francisco.
As McCloskey points out, there are two issues organizations must address:
First, when a new initiative comes up, deal with front end compliance issues such as setting expectations, monitoring, reporting, and access controls.
Second, given the dynamic behavior of IT in the cloud, you have to also deal with the change management issues inherent in the process.
This is a double-edged sword, explained McCloskey, in which not only do you have to deal with the security implications of operating in a dynamic IT environment, but you also must face the directive of compliance.
One way organizations are handling this is via secure DevOps, or building security controls into your instances so as you spin up servers you’re going to get a combination of base security controls and base monitoring necessary for compliance.