Cyber Solutions: Automating Compliance
CTAC’s client, A federally funded research and development center sponsored by the Department of Energy, sought a process for ensuring that their multi-tenant, muti-CSP platform offering would be highly available and remain in compliance with its FISMA Moderate classification and ATO. The tenants of the platform were the owners and admins of their accounts and required access to advanced computing and cloud technologies to pursue their advanced research projects. The problem was how to maintain control while providing the tenants with the freedom and capability their research required. This presented several key challenges:
- Manual Compliance: Achieving FISMA Moderate compliance in a manual, resource-intensive manner was time-consuming and error-prone. Ensuring that every security control across CSP environments was consistently applied and validated was a significant challenge.
- Multi-Cloud Complexity: The tenants had access to, and leveraged different CSPs for different aspects of their research. Ensuring consistent compliance across these diverse cloud environments added complexity and increased the risk of misconfigurations.
- Continuous Monitoring: Compliance is an ongoing process, and ensuring that configurations remain compliant over time requires continuous monitoring and remediation. This demanded a solution that could automate these tasks.
CTAC took a dual approach to the problem. Firstly, they used the cloud enablement tool Kion, which offers cloud automation, financial management, and continuous compliance. CTAC engineers performed a gap analysis, aligning NIST controls with Kion’s configurations. This generated a report on covered and uncovered controls. To address gaps, they created Infrastructure-as-Code (IaC) templates, achieving full NIST compliance. Using Kion’s continuous compliance, CTAC established automated rules encompassing various security aspects like identity and access management, data encryption, and network security. Collaborating closely with the client and its security team, CTAC customized Kion’s reporting and compliance capabilities to meet specific security policies beyond the basic moderate NIST controls.
CTAC’s implementation of Kion and IaC for automating FISMA Moderate-level security compliance for our client’s multi-CSP environment yielded several significant outcomes:
- Efficiency and Accuracy: Automation significantly reduced the time and effort required to achieve and maintain compliance. Manual processes were replaced with automated checks and remediation actions, minimizing the risk of human errors.
- Consistency Across Clouds: By applying the same compliance rules and policies to the multi-CSP environment and managed by a single tool, CTAC ensured consistent security posture across multi-cloud environments, simplifying management and reducing complexity.
- Real-time Monitoring: Continuous monitoring provided real-time visibility into compliance status. Security teams could promptly identify and remediate compliance violations, enhancing overall security.
CTAC successfully addressed the complex challenge of automating FISMA Moderate-level security compliance across CSPs by implementing and configuring both Kion and IaC. This solution not only improved efficiency and accuracy but also enhanced security and audit readiness, ultimately delivering value to our federal client who sought secure and compliant cloud solutions.