How to Monitor Cloud Compliance with Lacework FortiCNAPP
Author: Jake Hammacott
Release Date: 15/08/2024
Compliance and governance of IT infrastructure is incredibly important in any enterprise. Failing to meet standards set by governments, industry-recognised compliance frameworks and internal policies can lead to an increased risk of resources being leveraged and exploited by malicious actors. This can cause massive issues within an organisation by creating additional attack vectors which could lead to you facing legal infractions and fines when compliance is not met.
Compliance frameworks, such as the ISO27001 series, cover a wide variety of different resources and policies, with each being different and applicable to different environments. So, when a compliance or security team goes to audit their estate, it can be incredibly time-consuming and resource intensive to effectively and efficiently gather all information required. With many companies moving towards cloud-based solutions, this task becomes even trickier, with the security teams suddenly needing to be proficient in whichever platform the company has adopted. Additionally, organisations with multi-cloud solutions add yet another layer of complexity to any compliance auditing processes.
Lacework FortiCNAPP aims to enable security teams to immediately identify current compliance findings within their cloud infrastructure, whether on AWS, Azure, GCP or any combination of the three. Through the use of Lacework FortiCNAPP's cloud compliance monitoring dashboard, compliance can be assessed in (near) real time and can be filtered down by many fields including, framework, hosts or specific policy violations.
Furthermore, when looking into mergers and acquisitions, it can be incredibly difficult to expect or understand what cloud infrastructure you are going to inherit. Lacework FortiCNAPP’s compliance dashboard can make this simple and easy. By integrating Lacework FortiCNAPP into any new cloud accounts, compliance information is monitored and accessible in the same time frame as any well-established estate. In this blog post, we’ll be jumping into more depth on Lacework FortiCNAPP’s cloud compliance dashboards to demonstrate how it could benefit your organisation.
Lacework FortiCNAPP’s Compliance Dashboard
Lacework FortiCNAPP's compliance dashboard, found under the risk centre subheading, can be easily accessed and compliance findings can be assessed and monitored in Lacework FortiCNAPP in under 24 hours after integrating your cloud accounts. Lacework FortiCNAPP also recently became capable of analysing the compliance of kubernetes, with a dashboard available specifically focused on it.
When first opening the dashboard, Lacework FortiCNAPP provides a high level overview of the current compliance findings. Diagrams and charts show policy and resource compliance, along with non-compliant policy severities and are great key indicators that give an immediate synopsis to security and compliance teams. Lacework FortiCNAPP comes with over 30, industry-recognised, compliance frameworks out-of-the-box and allows for the creation of custom policies (that are in-line with internal policies) to be added and included into the compliance dashboards.
Although these initial graphics are great at providing a quick review of an entire cloud estate, in reality, it is likely that a security team is going to work through individual policies or resources to get their infrastructure compliant. To solve this, Lacework FortiCNAPP provides a dedicated page for both policies and cloud accounts that documents all findings. This creates many opportunities for a team to work more effectively on compliance through the following ways:
• Immediately sort by the highest severity of policy to find risky non-compliance so it can be focused on with a high priority
• Sort non-compliant policies by the number of affected resources: there may be a specific configuration that is used as a standard for all cloud resources that is actually introducing a level of insecurity to the cloud estate. This can be identified and interrogated with a high priority to determine if this configuration is unnecessary or a justified, accepted risk
• Cloud accounts can be sorted by non-compliance, revealing which infrastructure currently brings the most insecurity and risk to your organisation
Each record in any Lacework FortiCNAPP table can be drilled-down. For instance, clicking on the “Network Access Control Lists (ACL) do not allow unrestricted outbound traffic” policy takes us to a new dashboard page. Here, every resource that is currently non-compliant with this policy is listed, with the opportunity to further drill-down into the actual resource.
Every out-of-the-box policy in Lacework FortiCNAPP has a dedicated web-page that provides a full context and explanation of the policy, along with a remediation method to allow for analysts to easily and confidently adhere to compliance. For example, clicking the “View Context” button on this page takes me to the following page: https://docs.lacework.net/catalog/policies/lacework-global-146. Lacework FortiCNAPP has spent a large amount of time and effort creating this documentation to make compliance a simpler and more user-friendly task to manage - with the entire policy catalogue available via https://docs.lacework.net/catalog.
Compliance Reports
Being able to view, monitor and access compliance findings is incredibly beneficial to security and compliance teams. However, all the information provided by Lacework FortiCNAPP in the Compliance Dashboards could overwhelm an internal auditor. Additionally, if a team had to take all of the information provided and collate it into a compliance audit document, a huge amount of time would be wasted by copying over the relevant data. Fortunately, Lacework FortiCNAPP allows for the automated creation of compliance reports, which reflect a specific framework relevant to your goals, infrastructure and current certifications. These reports can be created ad-hoc when required or at regular intervals. Each report uses data found in the compliance dashboard to document the compliance findings against the chosen framework. Any Lacework FortiCNAPP admin can view, export or create these reports whenever necessary and can even use them to assist in the delivery of external audits.
The reports are split into relevant sections, with overviews providing a high-level overview of findings. Additional sections are included to show granular non-compliance between policy and resource.
Reports also provide the benefit of allowing organisations track their progress in becoming compliant with specific frameworks. For instance, if you’re currently looking to become ISO 27001 certified, Lacework FortiCNAPP compliance reports could be a method of understanding how progress is being made and where there are areas that need prioritisation or further development. As compliance data is available so soon after cloud-configuration and integration with Lacework FortiCNAPP, reports become invaluable from day 1.
Compliance Outside of the Compliance Dashboard
As well as having monitoring available in the compliance dashboard, new compliance violations are alerted on, identifying new risks and insecurities created from configurations and changes. These new violations are found in Lacework FortiCNAPPs Threat Centre and include context and information on the alert including: why the alert triggered, when it triggered, what happened, how it can be fixed and any relevant, related alerts that have already triggered.
This process empowers more compliance-mature estates to keep on-top of their security posture and proactively remove insecurities found in mis-configurations.
More and more industries are seeing the benefits of “shifting left” in their security protocols. Fundamentally, this means identifying issues in infrastructure whilst it's still in the development pipeline. Lacework FortiCNAPP uses an agent-based approach to this in their Code Security dashboards. Here, code is monitored inside the CI/DC (Continuous Integration & Continuous Development/Deployment) pipeline or repository, with any risky infrastructure being identified before hitting production. This empowers DevOps teams to ensure that resources that they push out are secure, saving both time and money by preventing a fix needing to be administered once infrastructure is already live.
Similar to the compliance dashboard, in many cases, fixes/guides are provided to DevOps engineers to allow them to quickly and easily rectify mis-configurations:
Conclusion
One of Lacework FortiCNAPP's big ambitions is to ease the burden of compliance monitoring and enforcement. They provide a whole host of tools and solutions that empower a wide range of IT personnel, making compliance an easier topic to manage. Cloud solutions are becoming ever more popular, meaning the approach to compliance needs to adapt to stay effective and relevant. The adoption of Lacework FortiCNAPP could provide your organisation with the technology to save time, man-power and resources when attempting to monitor cloud compliance.
