Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/25/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Continuous Compliance and Effective Audit Preparation for the Cloud

Why audits are a necessary evil, and how they can actually help you improve your brand value.

Unless you spent your childhood with actuarial tables as a best friend, you probably don't like the word "audit." It conjures notions of paperwork and checklists and deadlines, and just a general swirl of annoying action items. What's even worse, is that it suggests the idea that someone suspects you did something wrong, and they're going to watch over you until you can prove you can do it right. It's like an adult version of after-school detention.

For companies that operate in the cloud, audits are used to ensure that companies adhere to rules and commonly accepted best practices. We use cloud security compliance standards to define what these practices are, how enterprises can function with them, and how they can provide a roadmap for better business operations. Standards like NIST 800-53 and NIST 800-171 are required for organizations to do business with the federal government. HIPAA sets the framework for working with privileged and personal health data, and PCI compliance is demanded for organizations doing digital payments. Comply and you can operate at the pleasure of standards organizations. Be out of compliance and your "license" to operate is revoked.

Ideally, an enterprise complies with the requirements of the standards they need/want to adhere to, and then their business functions more securely, more efficiently, and the governing bodies give their everlasting blessing. It would be nice if it were that simple, but that's never how compliance works. New servers are inserted into the IT environment, application updates are deployed, unrelated specs are mandated on top of other specs. With each change to your cloud and its component pieces, your enterprise risks missing something that will likely take it out of compliance. There are hundreds of lines of controls in the NIST 800-53 compliance spreadsheet, and each of those controls has a set of corresponding instructions. If just one of those conditions is not met properly, you're unfortunately out of compliance.

This is clearly a lot to manage, especially when your business needs to remain compliant in the midst of constant business and technology change. To add to your burden, you have to deal with audits that check to see if you’re compliant now, if your processes are optimized to meet compliance standards, and if you've been out of compliance and what, if any, repercussions might have come from that. I've met many auditors, and while generally a pleasant group, they can strike fear into an organization that doesn't fully know what's going on in their cloud infrastructure.

When audited, you will be required to furnish comprehensive reports that detail your compliance and security adherence. Ultimately, the auditor is acting in the interests of the data and the owners of that data. They want to see if that data, or the assets that touch it, have been compromised. There are a lot of records you’ll have to compile and analyze in order to deliver what the auditors request. A Plan of Action and Milestone Template (POAM) will be created which will guide you, under the direction of the auditors, back to a state of compliance.

The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there's also the opportunity cost. Managing compliance distracts a highly skilled part of your IT team from performing more business-critical functions.

Two things need to happen if you truly want to be in control of compliance management and be prepared for audits:

  1. You need a tool that can continuously monitor the entirety of your cloud environment;
  2. You need to automate compliance assessment to determine where there might be failures and risks.

Some solutions will deploy agents within your infrastructure - avoid that because it will just give you more to manage. An agent-less, cloud-native solution will work continuously on your behalf and according to the requirements of compliance standards when your data is in AWS, Azure, or any public cloud. You can then use your time more effectively in creating remediation processes that can also be triggered with a cloud-based monitoring and risk assessment solution.

Audits are necessary and actually help you improve your brand value. When validated to operate under specific standards, they open new business potential for your enterprise and increases your potential audience. The actual work of being audited, however, is a pain in the neck unless you've used a cloud monitoring solution that helps you avoid compliance issues and track all your compliance and security activity. When you've done that, your audits still won't be fun, but they'll be a lot less painless and your organization will avoid unnecessary interruption.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:19:01 PM
Re: ISO 27001
Dr.T: It's also a component referenced in the NIST Cybersecurity Framework at various layers.

The problem, of course, is that so few people know what it actually, er, says...because of its proprietary nature. :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:17:53 PM
Re: Tools
@Dr.T: Interesting. Can you share a bit more about your experience w/ TripWire -- your use cases, etc.?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:38:54 PM
ISO 27001
ISO 27001 is one of the international standards as an information security management system that certifies organizations adhering to proper security rules and commonly accepted best practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:34:36 PM
Re: Tools
"There are a lot of good tools out there" One of them is Tripwire I had experience with, good security intelligence tool.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:33:37 PM
Re: Tools
"Most organizations still operate manually in this regard." Good point. Most of these operations are mainly manual for many companies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:59 PM
Re: Very useful article about Cloud Audit preparation
I agree, it is a good paper providing good information.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:18 PM
Continuous auditing
Continuous compliance requires continuous auditing, that can only be achieved with the proper tools.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/27/2017 | 9:43:59 AM
Tools
There are a lot of good tools out there (if used properly and if their limits are understood) for maintaining compliance with IT/security policies. Relatively few tools, alas, exist for data governance frameworks or global legal compliance frameworks. Most organizations still operate manually in this regard.
TechnologiesHive
100%
0%
TechnologiesHive,
User Rank: Apprentice
8/25/2017 | 11:04:37 AM
Very useful article about Cloud Audit preparation
Thanks for very deatiled post regarding effective audit preparation, was a good read!
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6260
PUBLISHED: 2018-11-13
NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.
CVE-2018-16850
PUBLISHED: 2018-11-13
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
CVE-2018-17187
PUBLISHED: 2018-11-13
The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options...
CVE-2018-1792
PUBLISHED: 2018-11-13
IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947.
CVE-2018-1808
PUBLISHED: 2018-11-13
IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828.