For more than 20 years, Telos has pioneered technology designed to automate complex cybersecurity functions. For example, one of our flagship products, Xacta®, automates various cyber risk and compliance management activities such as asset inventory, security control determination, test plan creation, security/compliance testing, and continuous monitoring. Automated features like these are more efficient, and drastically reduce the time it takes to deploy secure and compliant systems, benefiting security practitioners.
Until 2015, our focus was on traditional IT environments. Shortly after, the CIA made the groundbreaking decision to adopt Commercial Cloud Services (C2S), and asked if we could do for the cloud what we had already done for on-premises environments. We accepted this challenge and retooled the Xacta platform to accommodate cloud resources. The new Xacta platform launched in 2017. With Xacta 360, Telos offers a platform to automate security risk and compliance activities for on-prem, cloud, multi-cloud, and hybrid systems.
Waiting for the World to Start the Cloud Security Conversation
Our perspective in 2011 was that the cloud is fundamentally more secure than on-prem systems. Investments in physical security, economies of scale, standardized technologies, etc. on the part of Cloud Providers take much of the security burden off their customers. However, the world didn’t agree with us. That is, until the CIA decided to adopt the cloud in 2014. That was the shot heard around the world. The CIA has since shown how the cloud can be used in a secure way, and their adoption has made organizations worldwide take notice and seriously consider cloud adoption.
But… Security Remains a Concern
The CIA has proven that the cloud can be made secure. And other programs, like FedRAMP, are designed to establish a standards-based way of securing commercial cloud services. However, there’s still a knowledge gap around cloud technology, and more specifically, there’s a lack of understanding about cloud security, compliance, and associated best practices. These knowledge gaps intimidate organizations, impeding cloud adoption. Organizations aren’t sure how to get started, or how to manage cloud workloads overtime. This is why automation is so important.
Automation Helps Simplify the Security and Compliance Process
Automation is critical for both reducing the learning curve and preventing issues caused by best-guess efforts. This is especially true for regulated and semi-regulated industries that are required to adhere to certain security standards. Failure to properly secure and monitor systems is publicly reported when an organization experiences a breach, and failure to adhere to security requirements can result in steep fines or worse.
Some of the questions I hear when people are addressing regulatory requirements include:
- How do I know what assets and resources make up my workload?
- How do I know which security controls apply to my workload?
- How should cloud services be configured to be secure and compliant from a regulatory perspective?
- How do I know my workload is secure and compliant before it’s deployed?
- How do I document my process to demonstrate a standard of due care with respect to security compliance?
- How do I continuously assess my workload to ensure on-going security and compliance after my workload is deployed?
Automation is key to addressing these questions. Automation eliminates uncertainty and reduces the burden of security and compliance. The result is a more confident organization with a greater appetite for cloud adoption.
Automation is Key to Cloud Adoption
Some key automation functionality that makes cloud adoption much easier:
- Automatically establish an inventory of your cloud-based resources – You don’t need to be an expert in cloud technology. You just need a way to automatically scan your cloud accounts to establish and maintain your inventory.
- Automatically understand which security controls apply to your cloud resources – You don’t need to be an expert with regard to security controls. You just need to answer questions about your system so that applicable controls automatically populate a test plan.
- Automatically inherit details from the cloud provider about how their services are configured to satisfy applicable controls – You don’t need to be an expert on how to securely configure cloud services. Cloud providers have this information. You just need a way to automatically inherit this information from the cloud provider.
- Automatically test services to ensure they are configured in a known-secure and compliant manner – You don’t need to be an expert with regard to security testing. Security data can be mapped to relevant controls to automatically perform security testing.
- Automatically re-validate over time that services remain secure and compliant – Specify how frequently you want certain tests to be re-run in an automated fashion for continuous monitoring purposes.
- Automatically generate regulatory documents/reports – You don’t need to have a ton of people producing reports to satisfy auditors and regulators. The body of evidence that you automatically collect should be used to generate any required reports and documentation.
These are just a few high-level examples of the automation capabilities that helped the CIA and Amazon Web Services (AWS) rapidly establish and maintain secure and compliant cloud environments that are driving cloud adoption across the intelligence community. Organizations around the world are also using these capabilities to help simplify their own cloud security and compliance activities.
With the accuracy, time saved, and consistency you get from security and compliance automation, organizations are more confident in their ability to deploy and manage workloads. And, certainly, more confident in their ability to do so in the cloud. Automation is truly driving cloud adoption.
Telos CEO John Wood blogs about business, education, and the values that guide us.