Can you share any best practices for managing compliance risks in a hybrid-cloud environment?

Implementing a CNAPP and using a shift-left strategy are both necessary and, from a compliance standpoint, adopting a zero-trust model is also critical. This ensures that every user is properly authenticated and authorized, allowing for effective compliance monitoring. Robust identity and access management (IAM) tools are vital for managing access to cloud environments and conducting regular reviews. Automation in policy management is also key, enabling automatic management of cloud policies, data encryption, and protection. Collaboration among security, compliance, and IT teams is essential to maintain secure environments and address compliance needs, including third-party risk management.

I would emphasize the importance of a secure-by-design approach. This involves examining the architectural schematics and blueprint of cloud solutions, whether they are vendor-hosted or self-managed. In many enterprises, there's often a challenge with managing already deployed cloud workloads. It's crucial to maintain visibility and ensure that new solutions or additions to the environment undergo thorough architectural reviews. This ensures the right baselines are established, which then supports continuous monitoring after deployment.

Implementing a cloud native application protection platform (CNAPP) is a fundamental step to manage compliance risks. This is comparable to having a firewall in your on-premise environment. In a cloud environment, a CNAPP is essential not only for compliance but also for general security. It helps prevent misconfigurations and provides compliance benchmarks, which are excellent for continuous monitoring of your settings to ensure they remain compliant and avoid configuration drift.