COMPLIANCE CHALLENGES
PRODUCED BY: SPONSORED BY:
  GAME CHANGING TECHNOLOGY TO MEET AGENCY MISSIONS
THE CHALLENGE OF
CONTINUOUS COMPLIANCE
Cutting edge technologies help government agencies stay ahead of compliance.
While these are transformational technologies, they can also present challenges when it comes to meeting requirements like NIST SP 800-53
rev 4, NIST SP 800-171, FedRAMP, FISMA, PCI-DSS, HIPAA, and CJIS. Many of these technologies aren’t fully compliant out of the box, or may fall out of compliance over time as systems are patched and upgraded.
One example is NIST SP 800-53 rev
4. Virtualization may support some of
the mandate’s controls, but falls short
on complying with others without some sort of remediation. In the case of AC02 (Account Management) for example,
a virtualization platform typically supports only single factor authentication. The regulation requires multifactor authentication. A virtualization platform, by default, only allows root account sharing and default passwords, and defaults to administrative privileges for all operations. AC02 prohibits default passwords and full admin privileges, instead requiring limited access privileges based on intended system use.
Agencies are doing a lot these days to increase ef ciency and productivity, save money, improve citizen services, and boost reliability and security. Achieving these goals means adopting modern methods and technologies, such as virtualization, cloud computing, and containers.
ensure workloads (virtual machines and containers) in the private, hybrid and public cloud, remain consistently compliant. It does this by continuously monitoring and enforcing security processes that bridge gaps between
the technology itself and regulatory requirements. It can also conduct initial discovery of compliance sensitive data, which must be continually monitored to ensure all controls are appropriately applied.
Virtualization, for example, saves
space and provides the  exibility to simultaneously run several, potentially different, operating systems on the same hardware. This lets IT staff test new con gurations and systems quickly without using all available resources. It can also help streamline policy enforcement.
Agencies can be con dent their virtualized and/or containerized workloads will remain compliant with automated enforcement of:
Cloud computing is another government agency game changer. The bene ts of moving workloads to the cloud are well known. They include elastic scalability,  exibility, always-on availability, and frequently better security than local servers. Using cloud resources can also help enforce regulatory compliance, because cloud hosting providers working with
• Least privilege access and separation of duties for all administrative changes, including secondary approvals,
the government must comply with strict security requirements and processes. Cloud Service Providers also have more skilled personnel to meet their 24x7x365 SLAs.
• Prevention of unauthorized creation and replication of the workloads, and
• Encryption and Decryption of the
Containerization takes ef ciency
and independence a step further. This technology essentially puts an entire run-time environment — applications, libraries, con guration  les, and even
the operating system — into a container within a cloud environment. Virtualization gives independence from speci c hardware versions, and containers give independence from speci c versions of operating systems. Developers can test applications quickly. Containers can be spun up almost instantly and be split into modules or micro-services.
 exibility to achieve compliance during their transformational journey. “It’s all about continuous visibility and automated enforcement of security controls, which is the best way, by far, to maintain compliance,” says Prafullchandra.
The goal, says Hemma Prafullchandra, CTO of HyTrust, is to  nd a way to ensure all systems work well together while remaining compliant. “It’s about automating as much as possible, taking advantage of built-in APIs, leveraging insights from existing security tools, and making sure everything works across all technologies in the environment, all while ensuring consistency and continuous compliance,” she says.
workloads at-rest.
HyTrust’s solutions gives agencies the
• Customized con guration hardening on a pre-de ned schedule of cloud infrastructure and workloads,
• Tightly de ned boundaries of where the workloads can operate,
 The best way to achieve these goals is to rely on a single solution that can achieve and maintain applicable controls and compliance requirements. HyTrust’s cloud security policy framework (CloudSPF)
For more information, visit HyTrust.com
 GameChanger